Systems and methods of quota accounting

ABSTRACT

Embodiments of the invention relate generally to incremental computing. Specifically, embodiments of the invention include systems and methods that provide for the concurrent processing of multiple, incremental changes to a data value while at the same time monitoring and/or enforcing threshold values for that data value. For example, a method is provided that implements domain quotas within a data storage system.

CROSS-REFERENCE TO RELATED APPLICATIONS

This application was filed on the same day as the followingapplications. Ser. No. ______, entitled “SYSTEMS AND METHODS OFPROVIDING POSSIBLE VALUE RANGES” [ISIL.026A], and Ser. No. ______,entitled “SYSTEMS AND METHODS OF MANAGING RESOURCE UTILIZATION ON ATHREADED COMPUTER SYSTEM” [ISIL.028A], all of which are herebyincorporated by reference in their entirety herein.

LIMITED COPYRIGHT AUTHORIZATION

A portion of the disclosure of this patent document includes materialwhich is subject to copyright protection. The copyright owner has noobjection to the facsimile reproduction by anyone of the patent documentor the patent disclosure as it appears in the Patent and TrademarkOffice patent file or records, but otherwise reserves all copyrightswhatsoever.

FIELD OF THE INVENTION

In general, embodiments of the invention relate to incrementalcomputing.

BACKGROUND

The increase in processing power of computer systems has ushered in anew era in which information is accessed on a constant basis. Multipletransactions in a computing environment often access the same data withincremental changes. In some systems, it may be advantageous to processincremental change requests, or delta transactions, concurrently. Insome systems, it may also be advantageous to establish thresholds forthe value of the data being changed incrementally. Additionally, it maybe advantageous to manage utilization of resources in the computingenvironment while managing requests for changing data.

SUMMARY OF THE INVENTION

In general, embodiments of the invention relate to incrementalcomputing. More specifically, systems and methods embodying theinvention provide support for concurrent processing of deltatransactions while monitoring and/or enforcing thresholds for the datavalues being changed incrementally.

In one embodiment, a method of determining whether multiple incrementalchanges to a data field could pass a threshold is provided. The methodmay include receiving at least one threshold related to a data field;receiving a request to incrementally modify a data value of the datafield; and determining whether the request, in combination with a subsetof other pending requests to incrementally modify the data value, couldpass the at least one threshold.

In another embodiment, a computer-readable medium having instructionsstored thereon for determining, when the instructions are executed,whether multiple incremental changes to a data field could pass athreshold is provided. The instructions may include receiving at leastone threshold related to a data field; receiving a request toincrementally modify a data value stored in the data field; anddetermining whether the request could cause an incremented data value topass the at least one threshold in combination with any subset of otherpending incremental requests.

In another embodiment, a system that determines whether a subset ofpending transactions could pass a threshold is provided. The system mayinclude a module configured to receive at least one threshold related toa data field; to receive an incremental transaction on the data field;and to determine whether the incremental transaction could cause thedata field to pass the at least one threshold in combination with anysubset of other pending incremental transactions.

In another embodiment, a method of tracking a boundary for a fieldstored in a computer system is provided. The method may includereceiving a delta request associated with a field stored in a computersystem; and computing an updated boundary value of possible values forthe field, wherein the possible values are based on the delta requestand a previous boundary value, the previous boundary value derived froma subset of other pending delta requests for the field.

In another embodiment, a system for tracking a boundary of a fieldstored in a computer system is provided. The system may include aboundary module configured to receive a delta transaction associatedwith a field stored in a computer system; and to compute an updatedboundary value based on possible values for the field, wherein thepossible values are based on the delta transaction and a previousboundary value, the previous boundary value derived from a subset ofother pending delta transactions for the field.

In another embodiment, a computer-readable medium having data structuresstored thereon for tracking a boundary of a data field is provided. Thedata structures may include a data value field, wherein the data valuefield comprises a stored data value capable of being modifiedincrementally; a plurality of delta value fields, wherein the deltavalue fields comprise, respectively, ones of a plurality of pendingincremental values to be combined with the stored data value; and atleast one boundary field, wherein the at least one boundary fieldcomprises a boundary value of possible data values resulting from acombination of the stored data value with a subset of the plurality ofpending incremental values.

In another embodiment, a method of implementing domain quotas within adata storage system is provided. The method may include receiving atleast one quota related to a size of a data domain, wherein the datadomain associates a subset of data storage within a data storage system,wherein the size measures the subset, and wherein the at least one quotadefines a threshold size for the data domain; receiving a datatransaction that could change the size of the data domain; anddetermining whether the data transaction could cause the size of thedata domain to pass the at least one quota in combination with a subsetof other pending data transactions that could also change the size ofthe data domain.

In another embodiment, a computer-readable medium having instructionsstored thereon for implementing, when the instructions are executed,domain quotas within a data storage system is provided. The instructionsmay include receiving at least one quota related to a size of a datadomain, wherein the data domain associates a subset of data storagewithin a data storage system, wherein the size measures the subset, andwherein the at least one quota defines a threshold size for the datadomain; receiving a data transaction that could change the size of thedata domain; and determining whether the data transaction could causethe size of the data domain to pass the at least one quota incombination with a subset of other pending data transactions that couldalso change the size of the data domain.

In another embodiment, a system for implementing domain quotas within adata storage system is provided. The system may include a quota moduleconfigured to receive at least one quota related to a size of a datadomain, wherein the data domain associates a subset of data storagewithin a data storage system, wherein the size measures the subset, andwherein the at least one quota defines a threshold size for the datadomain; to receive a data transaction that could change the size of thedata domain; and to determine whether the data transaction could causethe size of the data domain to pass the at least one quota incombination with a subset of other pending data transactions that couldalso change the size of the data domain.

In another embodiment, a computer-readable medium having data structuresstored thereon for implementing domain quotas within a data storagesystem is provided. The data structures may include a domain size field,the domain size field comprising a value that reflects a size of a datadomain comprising committed transactions; a bounded size field, thebounded size field comprising a value that reflects a maximum possiblesize or a minimum possible size of the data domain based on a pluralityof pending data transactions that have not committed or aborted; anincremental value field, the incremental value field comprising a valuethat reflects a change in the size of the data domain caused by a datatransaction; an operation type field, the operation type fieldcomprising a value that indicates whether the change in the size of thedata domain caused by the data transaction is either an increment or adecrement; and a quota field, the quota field comprising a value thatindicates a size threshold for either a minimum or maximum size for thesize of the data domain to be within a quota defined for the datadomain.

In another embodiment, a method of managing utilization of a resource ofa computer system having a number of threads is provided. The method mayinclude receiving a usage threshold for a resource on the computersystem and determining a usage for the resource on the system. Themethod may further include organizing the system into a number ofsubsystems, wherein the number of subsystems is two or more, and whereinthe number is determined at least in part on factors including thenumber of threads, the usage threshold, and the usage. The method mayfurther include allocating the subsystems among the threads, trackingresource usage for each subsystem, and distributing a request to modifyresource usage to at least one subsystem.

In another embodiment, a computer-readable medium having instructionsstored thereon for managing, when the instructions are executed,utilization of a resource of a computer system having a number ofthreads is provided. The instructions may include receiving a usagethreshold for a resource on the computer system and determining a usagefor the resource on the system. The instructions may further includeorganizing the system into a number of subsystems, wherein the number ofsubsystems is two or more, and wherein the number is determined at leastin part on factors including the number of threads, the usage threshold,and the usage. The instructions may further include allocating thesubsystems among the threads, tracking resource usage for eachsubsystem, and distributing a request to modify resource usage to atleast one subsystem.

In another embodiment, a system for managing utilization of a resourceof a computer system having a number of threads is provided. The systemmay include a module configured to receive a usage threshold and todetermine usage for a resource on the computer system. The module may befurther configured to organize the computer system into a number ofsubsystems, wherein the number is two or more and depends at least inpart on factors including the number of threads, the usage threshold,and the usage. The module may be further configured to allocate thesubsystems among the threads for tracking resource usage for eachsubsystem, and to distribute a request to modify resource usage to atleast one subsystem.

For purposes of this summary, certain aspects, advantages, and novelfeatures of the invention are described herein. It is to be understoodthat not necessarily all such advantages may be achieved in accordancewith any particular embodiment of the invention. Thus, for example,those skilled in the art will recognize that the invention may beembodied or carried out in a manner that achieves one advantage or groupof advantages as taught herein without necessarily achieving otheradvantages as may be taught or suggested herein.

BRIEF DESCRIPTION OF THE DRAWINGS

FIGS. 1A and 1B illustrate a problem that may arise with concurrentincremental changes and one embodiment of a possible solution usingpossible value ranges.

FIGS. 2A and 2B illustrate embodiments of a computer system configuredto implement possible value ranges for incremental computing.

FIG. 3 illustrates embodiments of writing delta transactions to ajournal and determining the possible value range of the deltatransactions.

FIGS. 4A and 4B illustrate flow charts of embodiments of writing a deltatransaction to a journal after determining whether the delta can beapplied without passing a threshold.

FIG. 5 illustrates one embodiment of processing delta transactions witha shared and an exclusive lock, respectively.

FIG. 6 illustrates one embodiment of a state diagram of thresholds for adata value being changed incrementally.

FIG. 7 illustrates one embodiment of three domains within a file system.

FIG. 8 illustrates various threshold values defined for three differentdomains.

FIG. 9 illustrates one embodiment of a timing diagram of a distributedcomputing system that implements incremental computing.

FIGS. 10A, 10B, 10C, 10D, 10E, 10F, and 10G illustrate embodiments ofdetermining whether a delta transaction can be applied without passing athreshold.

FIG. 11 illustrates embodiments of resource usage management systems ona distributed computing system.

FIG. 12 illustrates an embodiment of an example accounting system C₀ forthe domain d₀ that has been organized into three example accountingsubsystems C₀₀, C₀₁, and C₀₂ each of which tracks usage in a portion ofthe domain.

FIG. 13 illustrates an embodiment of an abstract data structure that canbe used to implement a quota domain account for tracking resource usagefor a quota domain.

FIG. 14 illustrates an embodiment of an example allocation of quotaaccount constituents and mirrored quota accounting blocks in a quotadomain system.

FIG. 15 is a flow chart that illustrates an embodiment of a constituentreorganization method for a quota accounting domain.

FIG. 16 is a flow chart that illustrates an embodiment of a method bywhich a quota constituent module can organize a quota domain intoconstituents.

FIG. 17 is a flow chart that illustrates an embodiment of a method bywhich the quota constituent module can allocate the constituents tonodes of a file system.

FIG. 18 is a graph schematically illustrating one example embodiment ofhow the number of constituents may depend on proximity of resource usageto a limit, such as, for example, an advisory, a soft, or a hard limit.

FIG. 19A is one embodiment of a graph that illustrates the number ofconstituents in a singleton mode of reorganization as a function of spanat the time of the reorganization.

FIG. 19B is one embodiment of a graph that illustrates the number ofconstituents that may be selected during a linear mode of reorganizationas a function of span at the time of reorganization.

FIG. 19C is one embodiment of a graph that illustrates the number ofconstituents that may be selected during a 1-or-N mode of reorganizationas a function of span at the time of reorganization.

FIG. 20A is one example of a chart that illustrates properties relatedto the constituents of the quota accounting system at six snapshots in atime period during which several linear mode reorganizations occur.

FIG. 20B is one example of a graph that shows the number of constituentsas a function of usage for the example system illustrated in FIG. 20A.

These and other features will now be described with reference to thedrawings summarized above. The drawings and the associated descriptionsare provided to illustrate embodiments of the invention and not to limitthe scope of the invention. Throughout the drawings, reference numbersmay be reused to indicate correspondence between referenced elements. Inaddition, the first digit of each reference number generally indicatesthe figure in which the element first appears.

DETAILED DESCRIPTION OF PREFERRED EMBODIMENTS

Systems and methods which represent one embodiment of an exampleapplication of the invention will now be described with reference to thedrawings. Variations to the systems and methods which represent otherembodiments will also be described.

For purposes of illustration, some embodiments will be described in thecontext of a distributed file system. The present invention is notlimited by the type of environment in which the systems and methods areused, however, and systems and methods may be used in otherenvironments, such as, for example, other file systems, otherdistributed systems, the Internet, the World Wide Web, a private networkfor a hospital, a broadcast network for a government agency, and aninternal network for a corporate enterprise, an Intranet, a local areanetwork, a wide area network, a wired network, a wireless network, andso forth. Some of the figures and descriptions, however, relate to anembodiment of the invention wherein the environment is that of adistributed file system. It is also recognized that in otherembodiments, the systems and methods may be implemented as a singlemodule and/or implemented in conjunction with a variety of other modulesand the like. Moreover, the specific implementations described hereinare set forth in order to illustrate, and not to limit, the invention.The scope of the invention is defined by the appended claims.

One example of a distributed file system, in which embodiments ofsystems and methods described herein may be implemented, is described inU.S. patent application Ser. No. 10/007,003 entitled “SYSTEMS ANDMETHODS FOR PROVIDING A DISTRIBUTED FILE SYSTEM UTILIZING METADATA TOTRACK INFORMATION ABOUT DATA STORED THROUGHOUT THE SYSTEM,” filed Nov.9, 2001, which claims priority to Application No. 60/309,803 filed Aug.3, 2001, U.S. Pat. No. 7,146,524 entitled “SYSTEMS AND METHODS FORPROVIDING A DISTRIBUTED FILE SYSTEM INCORPORATING A VIRTUAL HOT SPARE,”filed Oct. 25, 2002, and U.S. patent application Ser. No. 10/714,326entitled “SYSTEMS AND METHODS FOR RESTRIPING FILES IN A DISTRIBUTED FILESYSTEM,” filed Nov. 14, 2003, which claims priority to Application No.60/426,464, filed Nov. 14, 2002, all of which are hereby incorporated byreference herein in their entirety.

I. Overview

In general, embodiments of the invention relate to incrementalcomputing. More specifically, embodiments of the invention allow for theconcurrent processing of multiple, incremental changes to a data valuewhile at the same time monitoring and/or enforcing threshold values forthat data value. FIG. 1A illustrates a problem addressed by embodimentsof the invention. FIG. 1A illustrates a group of potential deltatransactions 100. These potential delta transactions 100 are associatedwith data 102, a low threshold 104 and a high threshold 106.Specifically, the initial value of data 102 is seventy-five; the valueof the low threshold 104 is zero; and the value of the high threshold106 is one-hundred. In other words, two threshold values have beendefined for data 102, which collectively define a range of possiblevalues for data 102 that do not pass either threshold. In theillustrated example, there are eight incremental values in the group ofpotential delta transactions 100. Delta transactions may be incrementalchanges to, for example, a data field. The illustrated deltatransactions include an incremental value and an associated operationtype that is either positive or negative, corresponding to increment ordecrement, respectively. Taken together, the incremental value and theoperation type define an incremental operation to be performed on thevalue of data 102. Depending on the sequence in which these potentialincremental changes are processed, the data value may or may not passone of the two thresholds, low threshold 104 or high threshold 106.There are three illustrated transaction sequences 108. In Sequence #1,the third incremental change causes the value of data 102 to pass thevalue of high threshold 106. In Sequence #2, the third incrementalchange causes the value of data 102 to pass the value of low threshold104. In Sequence #3, the incremental changes are processed in such anorder that the value of data 102 never passes either the value of lowthreshold 104 or the value of high threshold 106.

In many computing environments, there may be no fixed sequence order forprocessing pending transactions. Furthermore, in some computingenvironments, some pending transactions may be aborted, adding increasedvariability to the possible value of a certain data. In suchenvironments, it may be advantageous to know whether any combination ofpending delta transactions could cause, for example, an affected datafield to pass a defined threshold. FIG. 1B illustrates one embodiment ofan example of using possible value ranges 110 to determine whether acombination of pending transactions 112 would cause a value of data 102to pass the value of either low threshold 104 or the value of highthreshold 106. There are eight potential delta transactions 100illustrated in FIG. 1B. As these incoming, potential transactions areconsidered as possible candidates to become pending transactions—thatis, transactions that may be processed, for example, without regard totheir order of arrival—a computing system may evaluate whether the newlyconsidered transaction could cause, in combination with any other subsetof pending transactions, the value of data 102 to pass, for example, thevalue of low threshold 104 or the value of high threshold 106.Determining a possible value range is one method for determining whetherany subset of pending transactions may exceed a threshold. In theexample illustrated in FIG. 1B, the delta transaction “+20” isconsidered first. If transaction “+20” becomes pending, the lowestpossible value of data 102 would not be affected because transaction“+20” could only cause the value of data 102 to increase. In contrast,if transaction “+20” becomes pending, the highest possible value of data102 would be ninety-five because, if transaction “+20” completes andthere are no other pending transactions, the value of data 102 would bethe initial value, seventy-five, plus twenty. In some embodiments of anincremental computing system, transaction “+20” would be allowed tobecome pending because it could not cause the value of data 102 to passeither the value of low threshold 104 or the value of high threshold106.

In the example illustrated in FIG. 1B, transaction “−75” is consideredsecond. If transaction “−75” becomes pending, the lowest possible valueof data 102 would be zero. The value of data 102 would be zero if thetransaction “+20” aborts and the transaction “−75” completes. Thehighest possible value of data 102 would not be affected, if transaction“−75” became pending, because transaction “−75” could only cause thevalue of data 102 to decrease. In some embodiments of an incrementalcomputing system, transaction “−75” would be allowed to become pendingbecause it could not cause the value of data 102 to pass either thevalue of low threshold 104 or the value of high threshold 106.

In the example illustrated in FIG. 1B, transaction “+10” is consideredthird. If transaction “+10” becomes pending, the lowest possible valueof data 102 would still be zero because transaction “+10” could onlycause the value of data 102 to increase. If transaction “+10” becomespending, however, the highest possible value of data 102 would beone-hundred and five. The value of data 102 could be one-hundred andfive if the “+20” and “+10” transactions complete and the “−75”transaction aborts. In some embodiments of an incremental computingsystem, transaction “+10” would not be allowed to become pending, as anincremental transaction, because it could cause the value of data 102 topass the value of high threshold 106, which is one-hundred. In otherembodiments, transactions that could cause a data value to pass athreshold may still be allowed to become pending, once othertransactions have resolved, but may, for example, trigger a notificationor trigger a condition to be monitored.

Although, in the incremental computing system described above, possiblevalue ranges are used to monitor thresholds in a transaction environmentwhere some transactions fail, in other incremental computing systemspossible value ranges may be used to monitor thresholds even where alltransactions complete. For example, it may be advantageous to know priorto transaction completion whether a certain pending value could cause,in combination with the other pending values, a data value to pass athreshold. If a potential transaction could later cause, in combinationwith the pending transactions, a threshold to be passed, an incrementalcomputing system may, for example, prevent such a potential transactionfrom becoming pending, may notify a resource that the newest pendingtransaction will cause a threshold to be passed, and/or may monitor acondition associated with the forecasted passing of the threshold value.

A storage system is one example of a computing system that may usepossible value ranges to determine whether a transaction could cause, incombination with a subset of previously pending transactions, to pass athreshold. For example, in a storage system, it may be advantageous toprocess multiple incremental requests to change a value at a storagelocation. In some systems, writing a new incremental value may includerequesting permission from a resource, such as a disk drive, in order towrite the transaction to a specified storage location. Processing asingle write request may involve many different processes including, forexample, writing a copy of the value to a journal that temporarilystores the value before verification that the value has been written tolong-term storage, such as a hard-disk drive; verifying that a datavalue has been successfully written to a storage device, such as ahard-disk drive; and communicating with other computing devices that maybe involved with a related transaction that could cause the incrementaltransaction to either commit or abort. While these operations are beingperformed, other incremental change requests, or delta transactions, mayarrive at the same time. It may be advantageous to process concurrentlyas many relevant operations for each delta transaction as possible. Insome systems, it may be possible to write multiple pending deltatransactions to a journal. These pending delta transactions may berecorded in the journal during overlapping periods of time until, forexample, a long-term storage device is available to write the value at aparticular storage location, including the cumulative value of thepending incremental changes to the value that accumulated whileattempting to gain access to the long-term storage device.

Embodiments of a journal system, in which embodiments of systems andmethods described herein may be implemented, are described in U.S.patent application Ser. No. 11/506,597, entitled “SYSTEMS AND METHODSFOR PROVIDING NONLINEAR JOURNALING,” filed Aug. 18, 2006; U.S. patentapplication Ser. No. 11/507,073 entitled “SYSTEMS AND METHODS FORPROVIDING NONLINEAR JOURNALING,” filed Aug. 18, 2006; U.S. patentapplication Ser. No. 11/507,070, entitled “SYSTEMS AND METHODS FORPROVIDING NONLINEAR JOURNALING,” filed Aug. 18, 2006; and U.S. patentapplication Ser. No. 11/507,076, entitled “SYSTEMS AND METHODS FORALLOWING INCREMENTAL JOURNALING,” filed Aug. 18, 2006. All four of theforegoing applications are hereby incorporated by reference herein intheir entirety.

II. Computing System

FIGS. 2A and 2B illustrate embodiments of a computing system thatimplements possible value ranges for incremental computing. FIG. 2Aillustrates a computing system 200 with a processor 202, a system memory204, a persistent memory 206, a storage 208, and system modules 210.These components and modules are connected via an internal communicationsystem. Typically, computing system 200 processes system modules 210with processor 202, and writes data associated with system modules 210to system memory 204, persistent memory 206, and/or storage 208. In theillustrated embodiment, persistent memory 206 is designated as a journalfor computing system 200. In other embodiments, computing system 200 mayhave additional components and/or modules. Alternatively, computingsystem 200 may have fewer components and/or modules than illustrated inFIG. 2A. For example, in some embodiments, computing system 200 may nothave persistent memory 206. In addition, one or more of the componentsor modules may be combined or divided as subcomponents or submodules.

A. Example Components/Modules

Although storage 208 is illustrated as a single storage device, in otherembodiments storage 208 may include an array of one or more types ofstorage devices. Multiple processors, system memory components, andpersistent memory components may also be included. Furthermore, althoughembodiments of the invention are generally described with respect tostorage devices based on hard-disk drives, other embodiments may beimplemented on systems including alternative forms of storage, such assolid state disks (or drives), random access memory (RAM) disks, Flashdisks, combinations of the same, and suitable equivalents. Similarly,embodiments of the invention may include storage devices with variousimplementations of system memory 204, including memory based on staticRAM (SRAM), non-volatile RAM (NVRAM), dynamic RAM (DRAM), combinationsof the same, and suitable equivalents. It will be appreciated by oneskilled in the art how to implement embodiments of the invention onstorage systems using suitable alternative storage-related devices.

In the illustrated embodiment, a journal of disk writes to storage 208is stored in persistent memory 206. Persistent memory, as describedherein, may refer to memory devices whose content remain stable despitepower failure to the device. For example, a hard-disk drive is anexample of persistent storage. Hard-disk drives retain their content,even in the absence of a power supply. Hard-disk drives do not, however,have efficient random access. Relatively long seek times limit theadvantageous use of hard-disk drives for journal storage. Although ahard-disk drive may be used to store a journal, in some embodimentsnonvolatile random access memory (NVRAM) is preferred. Flash memory, forexample, has faster access times in comparison with hard-disk drives.One disadvantage of Flash memory, however, is its relatively limitedlifecycle. In one embodiment, persistent memory 206 is battery-backedRAM, such that if it loses power, the backup battery maintains itspersistent state. Battery-backed RAM has the advantage of efficientaccess time, long lifecycle, and persistent state, making it a suitablesource of persistent memory 206 for storing a journal. Becausebattery-backed RAM can lose its memory contents in the event that thebattery fails, persistent memory 206 includes not only those storagemediums that maintain their contents without any power; such as ahard-disk drive, but may also include storage mediums with suitablepower-supply backups. Persistent memory 206 may also include magneticrandom access memory (MRAM), which has access time and lifecycleadvantages of battery-backed RAM without having a backup power supply.It will be appreciated by one skilled in the art that persistent memory206 may include many suitable forms of nonvolatile memory, including,for example, magnetic random access memory (MRAM), Flash RAM,battery-backed RAM, combinations of the same, and suitable equivalents.

Although in the illustrated embodiment system modules 210 areillustrated as a separate component, the system modules 210 are programinstructions that may be stored in a variety of suitable locations,including, for example, local partitions on storage 208 or dedicatedstorage devices. In general, the word module, as used herein, refers tologic embodied in hardware or firmware, or to a collection of softwareinstructions, possibly having entry and exit points, written in aprogramming language, such as, for example, C or C++. A software modulemay be compiled and linked into an executable program, installed in adynamic link library, or may be written in an interpreted programminglanguage such as, for example, BASIC, Perl, or Python. It will beappreciated that software modules may be callable from other modules orfrom themselves, and/or may be invoked in response to detected events orinterrupts. Software instructions may be embedded in firmware, such asan EPROM. It will be further appreciated that hardware modules may becomprised of connected logic units, such as gates and flip-flops, and/ormay be comprised of programmable units, such as programmable gate arraysor processors. The modules described herein are preferably implementedas software modules, but may be represented in hardware or firmware.Moreover, although in some embodiments a module may be separatelycompiled, in other embodiments a module may represent a subset ofinstructions of a separately compiled program, and may not have aninterface available to other logical program units.

In some embodiments, computing system 200 may comprise a variety ofcomputer systems such as, for example, a computer, a server, a smartstorage unit, and so forth. In one embodiment, the computer may be ageneral purpose computer using one or more microprocessors, such as, forexample, a Pentium processor, a Pentium II processor, a Pentium Proprocessor, a Pentium IV processor, an x86 processor, an 8051 processor,a MIPS processor, a Power PC processor, a SPARC processor, an Alphaprocessor, and so forth. The computer may run a variety of operatingsystems that perform standard operating system functions such asopening, reading, writing, and closing a file. It is recognized thatother operating systems may be used, such as, for example, Microsoft®Windows® 3.X, Microsoft® Windows® 98, Microsoft® Windows® 2000,Microsoft® Windows® NT, Microsoft® Windows® Vista® , Microsoft® Windows®CE, Microsoft® Windows® ME, Palm Pilot OS, Apple® MacOS®, Disk OperatingSystem (DOS), UNIX, IRIX, Solaris, SunOS, FreeBSD, Linux®, IBM® OS/2®operating systems, and so forth.

In some embodiments, computing system 200 may be connected to a clusterof networked computing devices, forming a distributed network system. Adistributed network system may be arranged in many topologies,including, but not limited to, the following topologies:fully-connected, ring, mesh, star, line, tree, bus topologies, and soforth. It will be appreciated by one skilled in the art that variousnetwork topologies and/or combinations thereof may be used to implementdifferent embodiments of the invention. In addition, it is recognizedthat nodes in a distributed network system may be connected directly,indirectly, or a combination of the two, and that all of the nodes maybe connected using the same type of connection or one or more differenttypes of connections. It is also recognized that in other embodiments, adifferent number of nodes may be included in the cluster, such as, forexample, 2, 16, 83, 6, 883, 10,000, and so forth.

In one embodiment, the nodes of a distributed network system areinterconnected through a bi-directional communication link wheremessages are received in the order they are sent. In one embodiment, thelink comprises a “keep-alive” mechanism that quickly detects when nodesor other network components fail, and the nodes are notified when a linkgoes up or down. In one embodiment, the link includes a TransmissionControl Protocol (TCP) connection. In other embodiments, the linkincludes a Session Description Protocol (SDP) connection overInfiniband, a wireless network, a wired network, a serial connection,Internet Protocol (IP) over FibreChannel, proprietary communicationlinks, connection based datagrams or streams, and/or connection basedprotocols.

B. Example Data Structures

FIG. 2B illustrates one embodiment of three of the components ofcomputing system 200 in more detail. Specifically, FIG. 2B illustratessome of the data and data structures stored in system memory 204,persistent memory 206, and storage 208. Storage 208 is a hard-disk drivewith multiple disk platters. The disk platters are divided into smallerdata blocks, or disk blocks. Within a disk block, there may be multipleoffset values that define different storage locations on the block. Inthe illustrated embodiment, the storage location 211 is defined as beingon disk block “z” at offset “428.” Conceptually, a data block may be anysize of data, such as a single bit, a byte, a gigabyte, or even larger.In some embodiments, a data block is the smallest logical unit of datastorage in a file system. Additionally and/or alternatively, a filesystem may use data block sizes that are different from the native blocksize of a disk. For example, a disk may have a native size of 512 bytes,but a file system may address 4096 bytes or 8192 bytes. One skilled inthe art will appreciate that file systems may be implemented with manysuitable data block sizes, including, but not limited to, 512 bytes,4096 bytes, and 8192 bytes. In some embodiments, the block size may beconfigurable. It will be further appreciated that, although theillustrated embodiment illustrates a single data block size, filesystems may be implemented with variably sized data blocks.

There are various data values stored in system memory 204 thatcorrespond to storage location 211. Storage reference 212 is a pointervalue that refers to the storage location 211 on storage 208. Usage 214stores the value of the data stored at storage location 211. In theillustrated embodiment, usage 214 corresponds to a “usage” value of, forexample, a defined domain of directories and files within a file system.PVR reference 216 is a pointer to possible value range (PVR) variablesincluding, low value 218, and high value 220. Threshold reference 222 isa pointer to threshold variables for usage 214, including low threshold224 and high threshold 226. Delta reference 228 is a pointer referenceto the values of delta transactions for usage 214, including deltavalues 230. Although in the illustrated embodiment the delta values 230are illustrated as positive and negative values, in other embodimentsthe delta values 230 may be unsigned values. Additionally and/oralternatively, there may be additional variables defining the respectivesigns of data values 230.

Persistent memory 206 includes a journal data structure 232. Journaldata structure 232 includes a journal block 234 that is a pointerreference to a linked list of transaction blocks 236. The transactionblocks 236, respectively, link together all of the associated data blockwrites for respective transactions. For example, the transaction T₀includes a block descriptor 240 and a block value 242. Block descriptor240 includes a pointer reference to storage location 211. Block value242 stores the value that is to be written to storage location 211.Transactions T₁ and T₂ include delta transactions that modify the valuestored at storage location 211. These delta transactions 244 include areference to the storage location 211 to which they correspond, as wellas an incremental value and associated sign. When it comes time to writethe value of usage 214 to storage location 211, the incremental valuesof the delta transactions 244 will be combined with the data value 242and written to storage location 211.

III. Possible Value Range (PVR) Module

In some embodiments, a possible value range is a closed range [v_(l),v_(h)] describing bounds (or boundaries) for the possible values of avariable. A possible value range module tracks one or more boundariesfor a data field stored in a computer system. The boundaries are thelowest and/or highest possible values that may be stored in the datafield. Thus, the possible value range is a set of boundary limits forthe value of a given data field. Table 1 describes one embodiment of apossible value range (PVR).

TABLE 1 Initial State 100 Uncommitted TXN 1 +1 Uncommitted TXN 2 −2Uncommitted TXN 3 −10 Possible value Range [88:101]

The illustrated PVR keeps track of both a lower and upper (or low andhigh) boundary value for a variable with an initial value of “100.”Three subsequent transactions that incrementally modify this same datafield are processed. Because these transactions are “uncommitted,” thesystem cannot determine with certainty the exact value of the datafield. In other words, in one embodiment, until the system hasdetermined whether certain pending (uncommitted) transactions, affectinga particular variable, will execute (commit) or not execute (abort), thePVR module can track the lower and upper bounds of the possible valuesfor the particular variable. Therefore, the PVR module uses the PVR totrack the possible lower and upper boundary values of the data field.

Specifically, when the first uncommitted transaction is accounted for,the PVR for the variable would be “[100:101],” indicating that thelowest possible value of the variable would be “100” and the highestpossible value would be “101.” When the second uncommitted transactionis accounted for, the PVR for the variable would then be “[98:101].” Ifthe first transaction aborted and the second transaction committed, thevariable with initial state of “100” would be decremented “−2” withoutbeing incremented “+1”, yielding a result of “98.” Finally, when thethird uncommitted transaction is accounted for, the PVR for the variablewould be “[88:101],” as illustrated. If both the second and thirdtransactions committed, but the first transaction aborted, the variablewould have a value of “88.” On the other hand, if the first transactioncommitted and the second and third transactions aborted, then thevariable would have a value of “101.” There are, of course, otherpossible values, including “99” (TXN 1 and TXN 2 commit; TXN 3 aborts),“89” (TXN 1, TXN 2, and TXN 3 commit), “100” (TXN 1, TXN 2, TXN 3abort), “91” (TXN 1 and TXN 3 commit; TXN 2 aborts), “98” (TXN 2commits; TXN 1 and TXN 3 abort), and “90” (TXN 3 commits; TXN 1 and TXN2 abort). The embodiments described herein, generally, describe a PVRmodule that tracks upper and lower boundary values. Other embodimentscould track the possible middle boundaries/values. In some embodiments,the boundary values of a PVR may be inclusive, and, in otherembodiments, the boundary values may be exclusive. In other words, insome embodiments, the possible value range of a variable may include theboundary value, and, in other embodiments, the possible value range of avariable excludes the boundary value.

Table 2 illustrates one embodiment of operations to track a low valuev_(l) and high value v_(h) (in other words, a lower bound and an upperbound) of a variable. These possible values are modified as uncommittedincremental, or delta (Δ), transactions are accounted for, causing a“change” in the PVR (incrementing the high value for increments anddecrementing the low value for decrements) and then either committed(incrementing the low value for increments and decrementing the highvalue is decrements) or aborted (decrementing the high value forincrements and incrementing the low value for decrements).

TABLE 2 Operation Increment Decrement Change ν_(h) += Δ ν_(l) −= ΔCommit ν_(l) += Δ ν_(h) −= Δ Abort ν_(h) −= Δ ν_(l) += Δ

If, for example, the PVR is [88:101], and TXN 2 commits, then the highvalue is decremented by the respective delta (“2”), yielding a PVR of[88:99]. As described here, the “delta” refers to the unsignedincremental value. If TXN 3 then aborts, the low value is incremented bythe respective delta (“10”), yielding a PVR of [98:99]. If TXN 1 thencommits, the low value is incremented by the respective delta (“1”),yielding a PVR of [99:99].

A. Exemplary PVR Enabled Journal

FIG. 3 illustrates one embodiment of tracking PVRs in a journalsubsystem. As described above with reference to FIG. 2B, computingsystem 200 includes persistent memory 206, which keeps a journal of datawrites to storage 208. In one embodiment of a journal subsystem,transactions are stored in a journal in, for example, one of threestates: prepared (p), committed (c), or aborted (a). Preparedtransactions are uncommitted transactions that have been written to thejournal in preparation to being written to the storage (if committed).If these prepared transactions include incremental changes (or deltatransactions) to a storage location already written to the journal (inanother transaction, for example), a PVR module adjusts the PVR of thestorage location to account for the incremental change (or deltatransaction) included in the newly prepared transaction. One skilled inthe art will appreciate that a PVR module may adjust the PVR of astorage location before or after an incremental change (or deltatransaction) is written to a journal. Committed transactions aretransactions that have been committed by the system to be written tostorage. In the illustrated embodiment, if a committed transactionincludes delta transactions for any storage locations, the PVRs of thesestorage locations are adjusted to reflect that the respectiveincremental changes (or delta transactions) are committed, and,therefore, no longer contribute to the uncertainty of the “possible”value ranges corresponding to the respective storage locations. Abortedtransactions are transactions that have been aborted by the system andare not written to storage. In the illustrated embodiment, if an abortedtransaction includes delta transactions for any storage locations, thePVRs of these storage locations are adjusted to reflect that therespective incremental changes (or delta transactions) are aborted, and,therefore, no longer contribute to the uncertainty of the “possible”value ranges corresponding to the respective storage locations.

In 300, there is one transaction, T₀, linked into the journal.Transaction T₀ is “committed,” meaning that computing system 200 hascommitted to write the storage locations associated with transaction T₀to their respective storage locations. One of the storage locationsassociated with transaction T₀ is storage location [z, 428]. Thisstorage location corresponds to disk block “z” at offset “428” onstorage 208. The PVR of the data to be stored at storage location [z,428] is [75:75]. In other words, the lowest possible value of storagelocation [z, 428] is “75,” and the highest possible value of storagelocation [z, 428] is also “75.” This indicates that there are no deltascorresponding to storage location [z, 428].

In 302, a new transaction is linked into the journal. Transaction T₁ isin the “prepared” state, meaning that it has been recorded in thejournal, but the computing system 100 has not committed to executingtransaction T₁. One of the storage locations affected by transaction T₁is storage location [z, 428]. Transaction T₁ adds the incremental valueof “25” to the value stored at location [z, 428]. Because theincremental change is an increment, the high value of the PVRcorresponding to [z, 428] is increased to “100,” the value of thestorage location in transaction T₀ and the incremental value intransaction T₁. Because the delta transaction corresponding totransaction T₁ would not cause a decrement to the value of the datacorresponding to storage location [z, 428], the lowest possible valueremains the same. Thus, the total possible value range in 302 is[75:100].

In 304, a new transaction, T₂, is linked into the journal. It is also inthe “prepared” state, meaning that the computing system 100 has notcommitted to modifying the relevant storage locations. One of thestorage locations affected by transaction T₂ is storage location [z,428]. Transaction T₂ decrements the value stored at [z, 428] by 10.Thus, the low value of the PVR for the value of the data stored at [z,428] is now 65. The high value remains the same. Thus, the possiblevalue range for the data stored at [z, 428] is [65: 100].

In 306, transaction T₂ commits, meaning that the system is committed towriting the storage locations corresponding to transaction T₂. BecauseT₂ has been committed, the PVR for the data stored at [z, 428] isadjusted. The high value is decremented by 10, resulting in the value of“90.” The low value of the data stored at [z, 428] is still 65. Thus,the possible value range is [65:90].

In 308, transaction T₁ aborts, meaning that the corresponding storagelocations will not be modified by T₁. Because T₁ will no longer beexecuted, the PVR of the data stored at [z, 428] is adjusted. The highvalue of the PVR is now 65, which is also the low value because thereare no uncommitted delta transactions pending. Thus, the PVR is thecumulative sum of the data value “75” and the committed deltatransactions, which in this example is the delta transaction “−10.”

B. Threshold Evaluation Procedures

FIG. 4 illustrates a flow chart of one embodiment of determining whetherto write a delta to a journal, such as journal 232. In the illustratedembodiment, a delta transaction is written to the journal if the deltatransaction could not, in combination with any other set of pendinguncommitted transactions, cause the PVR for the associated storagelocation to pass a threshold. To determine whether a threshold could bepassed, the PVR module determines a temporary PVR—the PVR that couldresult with the addition of the delta transaction—and compares theadjusted low/high value to the corresponding threshold.

In state 402, the PVR module receives a delta, an operation, and athreshold for a storage location—for example, a particular data blockand offset stored on storage 208. In state 404, the PVR moduledetermines the current PVR for the block and the offset. In state 406,the PVR module determines whether the delta can be applied withoutpassing the threshold. This determination is discussed in greater detailbelow with reference to FIG. 4B. If the delta cannot be applied withoutpassing the threshold, then the PVR module returns an error. In someembodiments, the system may respond to the error by, for example,retrying after an elapse of time or some other suitable condition orallowing the delta transaction in a serial, exclusive, or locked mode.In state 408, if the PVR module determines that the delta can be appliedwithout passing the threshold, the PVR module writes the delta to thejournal, in state 410.

The following is exemplary pseudocode of one embodiment of determiningwhether to write a delta to a journal. It will be appreciated by oneskilled in the art that there are many suitable ways to determinewhether to write a delta to a journal.

write_delta(transaction, address, offset, op, delta, threshold) {   /*   * Look up the disk block for the given address so we can    * try toapply a delta to it.    */   block = get_block_for_delta(transaction,address);   /*    * Look up the pvr for this disk block and offset,    *creating one if necessary.    */   pvr = get_or_create_pvr(block,offset);   /* Try to apply the delta */   error = apply_delta(op, delta,pvr, threshold);   if (error)     goto out;   /*    * If the deltadidn't cross the threshold, write it to the    * journal as part of thistransaction    */   write_delta_to_journal(transaction, block, offset,op, delta); out:   return error; }

FIG. 4B illustrates, in greater detail, one embodiment of state 406 ofFIG. 4A, which determines whether a delta can be applied without passinga threshold. In state 452, the PVR module determines whether theoperation is an increment or decrement. If the operation is a decrement,the PVR module determines whether decrementing the lower bound of thePVR would avoid passing the lower threshold, in state 454. If theoperation is an increment, the PVR module determines whetherincrementing the upper bound of the PVR would avoid passing the upperthreshold, in state 456. If decrementing the lower bound or incrementingthe upper bound would cause the possible value to pass the lower orupper thresholds, respectively, the PVR module returns the answer “no,”in state 458. If decrementing the lower bound of the PVR would not passthe lower threshold, the PVR module adjusts the lower bound to reflectthe delta, in state 460. If incrementing the upper bound of the PVRmodule would avoid passing the upper threshold, the PVR module adjuststhe upper bound to reflect the delta, in state 462. After adjustingeither the lower bound or the upper bound, the PVR module returns theanswer “yes,” in state 464.

The following is exemplary pseudocode of one embodiment of determiningwhether a delta can be applied without passing a threshold. It will beappreciated by one skilled in the art that there are many suitable waysto determine whether a delta can be applied without passing a threshold.

apply_delta(op, delta, pvr, threshold) {   pvr_orig = pvr;   pvr_tmp =pvr;   error = 0;   switch (op) {   case ADD:     pvr_tmp.high += delta;    if (pvr_tmp.high < pvr_orig.high /* overflow */ ||      pvr_tmp.high > threshold /* crossed threshold */) {         error= ESPANSRANGE;         goto out;     }   case SUB:     pvr_tmp->low −=delta;     if (pvr_tmp.low > pvr_orig.low /* overflow */ ||      pvr_tmp.low < threshold /* crossed threshold */) {         error =ESPANSRANGE;         goto out;     }   }   /* Copy out the modified pvr*/   pvr = pvr_tmp; out:   return error; }

C. Example Transactions

FIG. 5 illustrates one embodiment of how a group of transactions usepossible value ranges (PVRs) to acquire an exclusive lock to pass athreshold. State 500 illustrates a set of initial conditions. Acomputing system, such as computing system 200, has a data field with aninitial value V_(i) set to “1000,” a low threshold set to “0,” and ahigh threshold set to “1400.” Because there are no deltas defined in theinitial state, the PVR of the data value, initially, is [1000:1000].

In state 502, transaction T₀ prepares. In the illustrated embodiment,when a transaction prepares, the associated delta is written to thejournal. Because the transaction has not yet committed, the value of theassociated data block is not certain. If transaction T₀ aborts, thevalue remains “1000.” If the transaction T₀ commits, then the valuewould be 1300, as the incremental value of transaction T₀ for the datavalue is “300” and the operation type is increment. Thus, in state 502,the PVR is [1000:1300].

In state 504, transaction T₁ prepares. Transaction T₁, if committed,would decrement the value by “100.” If transaction T₀ aborted andtransaction T₁ committed, then the data value would be “900.” Thus, thelowest possible value is “900.” If transaction T₀ commits andtransaction T₁ aborts, then the data value would be “1300,” which is thehighest possible value. Thus, the PVR is [900:1300]. If both T₀ and T₁commit, then the data value would be “1200.” If transaction T₀ andtransaction T₁ both abort, then the data value would be “1000.”

In state 506, transaction T₂ attempts to prepare. Because transaction T₂would cause the PVR to pass the high threshold of “1400,” transaction T₂is not written to the journal. Subsequently, transaction T₂ requests anexclusive lock in order to serially handle the application of the delta,which could pass a threshold. In state 508, transaction T₀ aborts, andthe PVR module adjusts the possible value range to [900:1000]. In state510, transaction T₂ attempts to prepare again. Because transaction T₂would still cause the possible value range to pass the high threshold,transaction T₂ is not allowed to prepare. Transaction T₂ continues torequest the exclusive lock. In the illustrated embodiment, a disallowedtransaction could repeatedly check to see if it still should request anexclusive lock before it receives one. Alternatively, a disallowedtransaction would request an exclusive lock just once, and then wait forit. One skilled in the art will appreciate the various possibleimplementations of requesting/granting shared and exclusive locks. Instate 512, transaction T₁ commits, causing the possible value range tobe [900:900]. Although not illustrated, in some embodiments, transactionT₂ could check whether it still should request an exclusive lock.

In state 514, transaction T₂ acquires an exclusive lock. Transaction T₂then prepares, causing the possible value range to adjust to [900:1500].In state 516, transaction T₂ commits, causing the possible value rangeto change to [1500:1500]. In state 518, the PVR module resets thethresholds and the initial value because a threshold has been passed.The data value is updated to the current value of 1500. In theillustrated embodiment, an upper threshold is now set at 2000, and theprevious upper threshold becomes a lower threshold. The PVR of the datavalue is now [1500:1500]. In the embodiment just described, atransaction is allowed to pass a threshold after acquiring an exclusivelock. Thresholds may be defined with different characteristics thatcause different handling after acquiring an exclusive lock. Somethresholds, for example, may merely issue an advisory notice that athreshold has been passed, some may prevent a threshold from beingpassed, and some may prevent a threshold to be passed while certainconditions are met. One skilled in the art will appreciate that thereare many suitable ways to define characteristics of thresholds. Someexemplary threshold types are discussed in greater detail below withreference to FIG. 6.

In state 520, transaction T₃ acquires a shared lock, and attempts toprepare. Because transaction T₃ could cause the possible value range topass the lower threshold, it is not allowed to prepare. Transaction T₃then requests an exclusive lock. In state 522, transaction T₄ preparesbecause it would not cause the possible value range to pass either thelow or high threshold. The possible value range is now 1500:1600. Theresolution of transactions T₃ and T₄ are not illustrated. Although theillustrated embodiments have resolved transactions that could passthresholds by implementing shared and exclusive locks, in otherembodiments there are other suitable ways to resolve these transactions,such as, for example, rejecting such transactions.

IV. Threshold Types

FIG. 6 illustrates embodiment of a state diagram that defines, forexample, advisory, soft, and hard thresholds. For an advisory threshold,the PVR module allows the threshold to be passed, and sends an advisorynotice that the threshold has been passed. A soft threshold also allowsthe threshold to be passed, but the passing of the threshold triggers amonitor of one or more conditions that, if satisfied, signal the PVRmodule to disallow the threshold to be passed subsequently. A hardthreshold signals the PVR module to prevent the threshold from beingpassed. Transactions that attempt to pass a hard threshold are aborted.

Described below are enforcement states and state transitionscorresponding to the state diagram illustrated in FIG. 6. As used below,“usage” refers to a data variable with defined thresholds. Furthermore,as used below, “grace period” refers to the amount of time a thresholdmay be exceeded before becoming another type of threshold, such as, forexample, becoming a hard threshold after the grace period for a softthreshold has expired. A grace period is one embodiment of a conditionwhich may be monitored to implement advisory, soft, and hard thresholdsemantics. In the described embodiment, all thresholds have anassociated grace period. Advisory thresholds have an infinite graceperiod; hard thresholds have a grace period of zero; and anything elseis a soft threshold. It is recognized that, in other embodiments, one ormore, or even all, thresholds may not have an associated grace period.As described in greater detail below with reference to the embodimentsdisclosed in FIGS. 7, 8, 9, 10A, 10B, 10C, 10D, 10E, 10F, and 10G,“usage” refers to domain usage.

The following enforcement states correspond to the state diagram.

-   -   U (Under) If the usage is less than the enforcement threshold,        the enforcement is in state U.    -   O (Over) If the usage is greater than the enforcement threshold,        the enforcement is in state O. At the time the system        transitioned to state O, the grace period for the given        threshold was not yet expired. It is possible for the grace        period to be expired while the enforcement remains in state O,        if the corresponding domain has not been accessed since the        grace period has expired.    -   E (Expired) If the usage is greater than the threshold, and the        usage has remained over the enforcement threshold past the grace        period expiration, and an attempt to access the domain has been        made since the expiration, then the threshold is in state E. If        the threshold is modified but not the grace period, and the        usage still exceeds the threshold, the enforcement remains in        state E.

The following state transitions correspond to the state diagram. Statetransitions marked with an asterisk define state transitions whereerrors may be returned and where the action may be denied.

-   -   UO An enforcement moves from state U to O when the usage is        increased or the threshold is changed such that the usage        exceeds the threshold, and the grace period on the threshold is        non-zero (that is, not a hard threshold). The UO transition sets        the expiration time.    -   UE An enforcement moves from state U to E when the usage is        increased or the threshold is changed by an administrator such        that the usage exceeds the threshold, and the enforcement has a        grace period of zero (that is, a hard threshold). The UE        transition also sets the expiration time, but, in this case, the        time is already exceeded.    -   OU An enforcement moves from state O to U when usage is reduced        or the threshold is changed such that the usage no longer        exceeds the threshold. The OU transition resets the expiration        time.    -   OE An enforcement moves from state O to state E once the grace        period expiration is noticed. Expiration is only noticed during        operations that involve the domain in some way (for example,        allocation, queries, and so forth); in other words, an active        timer for the grace period is not kept. Once the OE transition        occurs, the action is reevaluated in the context of state E,        meaning that if the action causes the usage to increase, the        action is denied. An enforcement also moves from state O to        state E if the grace period is lowered and, thus, now expired.    -   EO If an administrator raises the grace period for a threshold        such that the grace period for an enforcement is no longer        expired, the enforcement moves from state E to O.    -   EU An enforcement moves from state E to state U when usage is        reduced or the threshold is changed such that the soft threshold        is no longer exceeded. The EU transition resets the expiration        time.

The following are situations where the full state does not change, butwhich are helpful to consider:

-   -   UU± An attempt to increase usage (UU+) or decrease usage (UU−)        may cause an enforcement to stay within state U.    -   OO± An attempt to increase usage (OO+) or decrease usage (OO−)        may cause an enforcement to stay within state O.    -   UEU An attempt to increase usage by a non-administrator may be        denied as a result of a hard threshold. If the action had been        allowed to continue, it would have resulted in a transition from        U to E.    -   EE± An attempt to increase usage (EE+) or decrease usage (EE−)        may cause an enforcement to stay within state E. The EE+ case is        denied for non-administrators.

Although the above description relates to one embodiment of a statediagram, it is recognized that other embodiments may be used.

V. Quota Accounting

FIGS. 7, 8, 9, 10A, 10B, 10C, 10D, 10E, 10F, and 10G, and theaccompanying text, describe one embodiment of a quota accounting modulethat uses PVRs to implement domain quotas within a data storage system.Domain quotas are quotas for the usage of a particular domain, forexample, a file system domain. In some embodiments, it may beadvantageous to define certain domains in a file system, and to setthresholds for the usage of such domains. By monitoring usage levelsand/or enforcing thresholds, system administrators may maintain controlover the amount of file system space allocated to a user or group ofusers. Because many transactions may be processed in close proximity, itmay be advantageous to track the possible value ranges of domain usage,as uncommitted transactions become pending.

FIG. 7 and the accompanying text illustrate embodiments of severaldomains in an exemplary file system. FIG. 8 and the accompanying textillustrate exemplary threshold values defined for the exemplary domains.FIG. 9 illustrates one embodiment of a timing diagram of exemplarytransactions that may cause the usage value of the exemplary domains topass the exemplary thresholds. FIGS. 10A, 10B, 10C, 10D, 10E, 10F, and10G illustrate, in greater detail, embodiments of the implementation ofa quota accounting module that uses PVRs to manage the exemplarytransactions.

A. Example Domains

FIG. 7 illustrates an example embodiment of three domains defined withina file system 700. File system 700 includes various directories andfiles organized in a tree-like data structure. As illustrated, there arethree domains (d₀, d₁, d₂) defined within file system 700. A domain is aset of directories and files associated together. Domain d₀ includes allof the files and directories within the /ifs/eng/ directory, whichincludes the following files and directories: eng/, quota_design.doc,home/, tyler/, quota_pseudocode.doc, pete/ and quota_patent_app.doc.Domain d₁ includes all of the files and directories owned by pete in the/ifs/eng/ directory, which includes the following files and directories:eng/, quota_design.doc, pete/ and quota_patent_app.doc. Domain d₂includes all of the files in the directory ifs/eng/home/tyler/, whichincludes the following files and directories: tyler/,quota_pseudocode.doc and quota_patent_ap.doc.

FIG. 8 and Table 3 illustrate one embodiment of the various thresholdsdefined for domains d₀, d₁, and d₂. Usage values are stored for therespective domains. The usage values corresponding to domains d₀ and d₁are stored on the same participant node P₀, described in greater detailbelow with reference to FIG. 9, on block “x” at offset “0” and on block“y” at offset “5,” respectively. The usage value corresponding to domaind₂ is stored on participant node P₁ on block “z” at offset “428.” Theinitial usage of domain d₀ is 999 megabytes, of domain d₁ is 48.9megabytes, and of domain d₂ is 4.55 megabytes. Domain d₀ has threedefined thresholds including an advisory threshold at one thousand andone megabytes, a soft threshold at one thousand five hundred megabytes,and a hard threshold at two thousand megabytes. Domain d₁ has twodefined thresholds, including a soft threshold at forty-nine megabytesand a hard threshold at fifty megabytes. Domain d₂ also has two definedthresholds, including an advisory threshold at 4.5 megabytes and a hardthreshold at five megabytes.

TABLE 3 Participant Advisory Soft Hard Domain (block, offset) = usageThreshold Threshold Threshold d₀ P₀ (x, 0) = 999 MB 1,001 MB 1,500 MB2,000 MB d₁ P₀ (y, 5) = 48.9 MB None   49 MB   50 MB d₂ P₁ (z, 428) =4.55 MB  4.5 MB None    5 MB

B. Example Transactions

FIG. 9 illustrates one embodiment of a timing diagram of multipletransactions in embodiments of an incremental computing system.Incremental computing system 900 is a distributed file system, whichincludes an initiator node 902, node I, and two participant nodes 904,nodes P₀ and P₁. The timing diagram illustrates the order of messagessent and received by the various described nodes in the incrementalcomputing system 900 as three transactions, T₀, T₁, and T₂, areaccounted for in the system.

In the illustrated embodiment, the various nodes of the distributed filesystem may process transactions according to a global transactionsystem. A global transaction system in which embodiments of systems andmethods described herein may be implemented, is described in U.S. patentapplication Ser. No. 11/449,153 entitled “NON-BLOCKING COMMIT PROTOCOLSYSTEMS AND METHODS,” filed Jun. 8, 2006, which is a continuation ofU.S. patent application Ser. No. 11/262,306 entitled “NON-BLOCKINGCOMMIT PROTOCOL SYSTEMS AND METHODS,” filed Oct. 28, 2005, which claimspriority to Application No. 60/623,843, filed Oct. 29, 2004, all ofwhich are hereby incorporated by reference herein in their entirety.

In state 906, delta commands corresponding to transactions T₀ are sentfrom the initiator node I to participant node P₀. There are two deltacommands corresponding to transaction T₀, each delta commandcorresponding to one of the two domains to which transaction T₀corresponds. In state 906, the initiator node I also sends deltacommands corresponding to transaction T₁ to participant nodes P₀ and P₁.Each of the delta commands corresponds to one of the respective domainsto which transaction T₁ corresponds. The usage field for domain d₀ isstored on participant P₀, the usage field corresponding to domain d₂ isstored on participant P₁. Thus, delta commands are sent to bothparticipant nodes P₀ and P₁. Because the usage field for domain d₁ isstored on participant node P₀, both delta commands corresponding totransaction T₁ are sent to participant node P₀. Transactions T₁ and T₂are sent within a close period of time. Although in the illustratedembodiment, the delta commands arrive in the order in which they weresent, in other examples/embodiments the delta commands may arrive in anorder different from their sending order. Generally speaking, therespective delta commands for transactions T₁ and T₂, the delta commandscorresponding to T₁ and T₂ may be processed concurrently by participantnodes P₀ and P₁. Generally speaking, this concurrency may be between therespective participant nodes, or between the respective delta commandsbeing executed on a particular participant node.

After participant nodes P₀ and P₁ determine whether or not therespective deltas can be applied without passing a threshold,participant nodes P₀ and P₁ send to the initiator node I a returnmessage indicating a Boolean response of whether the delta may beapplied without passing a threshold. In state 908, participant P₀ sendsreturn values for the delta commands corresponding to transaction T₀.The return value for the delta command corresponding to domain d₀ is“Yes,” indicating that the delta may be applied to domain d₀ withoutpassing a threshold. The return value for the delta commandcorresponding to domain d₁ is “No,” indicating that the delta cannot beapplied without passing its threshold. In state 910, participants P₀ andP₁ return respective values for the delta commands corresponding totransaction T₁. The return value for the delta transaction correspondingto domain d₀ is “Yes,” indicating that the delta can be applied withoutpassing a threshold. The return value for the delta commandcorresponding to domain d₂ is “No,” indicating that the delta cannot beapplied without passing a threshold.

Because transactions T₀ and T₁ could each respectively cause arespective usage value to pass a threshold (transaction T₀ could causeusage for domain d₁ to pass a threshold; transaction T₁ could causesusage for domain d₂ to pass a threshold), a reorganization is executedfor each transaction respectively. Thus, in state 910, a reorganizationis executed corresponding to transaction T₀. In state 912, areorganization is executed corresponding to T₁.

In state 914, initiator node I sends respective delta commandscorresponding to transaction T₂. Because the usage fields for domains d₀and d₁ are stored on participant P₀, the two respective delta commandscorresponding to these domains are sent to participant P₀. The deltacommand corresponding to domain d₂ is sent to participant P₁ because theusage value corresponding to d₂ is stored on participant P₁. In state916, participants P₀ and P₁ send the respective return values fortransaction T₂ corresponding to domains d₀, d₁, and d₂. The return valuefor the delta command corresponding to d₀ is “Yes,” indicating that thedelta may be applied to the usage field of corresponding to d₀ withoutpassing a threshold. The return values for the delta commandscorresponding to domains d₁ and d₂ are “No,” indicating that the deltavalue cannot be applied to the respective usage fields of domains d₁ andd₂ without passing the respective thresholds for these domains. Thisoccurs in state 916. In state 918, a reorganization is executedcorresponding to transaction T₂ because the thresholds corresponding todomains d₁ and d₂ could be passed if the respective delta of transactionT₂ is applied.

FIGS. 10A, 10B, 10C, 10D, 10E, 10F, and 10G illustrate, in more detail,embodiment of the execution of the delta commands corresponding totransactions T₀, T₁, and T₂, which are described above in the timingdiagram illustrated in FIG. 9. In 1000, the respective usage fields fordomains d₀, d₁, and d₂ are illustrated along with their correspondingPVR data structures. The usage value for domain d₀ is stored on block“x” of participant P₀ at offset “0.” The initial usage value of domaind₀ is “999.” Because there are no deltas yet associated with the usagevalue for domain d₀, the PVR is [999:999]. In other words, the low valuev_(l) of the PVR is “999,” and the high value v_(h) of the PVR is “999.”There are two thresholds defined for domain d₀, the low threshold set to“0” and the high threshold set to “1001.” There are no deltas yet forthe usage value of domain d₀.

The usage value of domain d₁ is stored on disc block “y” of participantP₀ at offset “5.” The initial usage value of domain d₁ is “48.9.”Because there are no deltas yet for the usage value of domain d₁, thePVR of the usage for domain d₁ is [48.9:48.9]. In other words, the lowvalue v_(l) of the PVR corresponding to domain d₁ is “48.9,” and thehigh value v_(h) of the PVR corresponding to domain d₁ is “48.9.” Thereare two thresholds defined for domain d₁, the low threshold set to “0”and the high threshold set to “49.” As mentioned above, there are nodeltas defined for the usage of domain d₁.

The usage value for domain d₂ is stored on disc block “z” of participantP₂ at offset “428.” The initial usage value is “4.55.” Because there areno deltas yet defined for the usage value on domain d₂, the PVR of theusage for domain d₂ is [4.55:4.55]. In other words, the low value v_(l)of the PVR for the usage value corresponding to domain d₂ is 4.55, andthe high value v_(h) of the PVR corresponding to usage for domain d₂ isalso 4.55. There are two thresholds defined for the usage valuecorresponding to domain d₂, the low threshold set to “4.5,” and the highthreshold set to “5.” As mentioned above, there are no deltas yetdefined for the usage value corresponding to domain d₂.

Table 4 illustrates one embodiment of the initial domain usage valuesdescribed above, and also illustrates the potential incremental affectsof three transactions, T₀, T₁, and T₂, on the domain usage.

TABLE 4 d₀ d₁ d₂ Initial Usage Value for Domain d_(n)  999 MB 48.9 MB4.55 MB T₀ write (quota_design.doc) +0.3 MB +0.3 MB N/A T₁ write(quota_pseudocode.doc) −0.1 MB N/A −0.1 MB T₂ write(quota_patent_app.doc) +0.9 MB +0.9 MB +0.9 MB

In 1002, the respective delta commands corresponding to transaction T₀are received by participant P₀. There are two delta commandscorresponding to the two domains d₀ and d₁, the domains affected bytransaction T₀. In other words, transaction T₀ modifies files and/ordirectories within domain d₀ and d₁, changing the usage valuescorresponding to these respective domains. Although in the illustratedembodiment the delta_cmd_T₀ corresponding to domain d₀ is processedbefore the delta_cmd_T₀ corresponding to d₁, in other embodiments thedelta commands may be processed in a different order.

The delta_cmd_T₀ corresponding to domain d₀ includes an operator typefield set to “add,” a delta field set to “0.3,” a threshold field set to“1001,” a block field set to “x,” and an offset field set to “0.” Inorder words, the delta_cmd_T₀ corresponding to do requests whether “0.3”may be added to the usage level corresponding to domain d₀, which isstored on block “x” at offset “0,” without passing the threshold “1001.”T₀ could cause the PVR of the usage value for domain d₂ to be[999:999.3]. In other words, if T₀ executes (commits), then the usage ofdomain d₀, in combination with any other pending transactions, could be“999.3.” If transaction T₀ does not execute (aborts), then the usagevalue for domain d₀ could be “999.” Because the high value v_(h) of thePVR corresponding to domain d₀ is less than the high thresholdcorresponding to domain d₀, the delta can be applied without passing athreshold. Subsequently, the delta is written to the journal, asdescribed in greater detail above with reference to FIGS. 3, 4A, and 4B.The in-memory structures tracking the possible value range and thedeltas are modified. Specifically, the high value v_(h) of the PVRcorresponding to d₀ is now “999.3.” Furthermore, the delta value “+0.3”is stored in memory.

The delta_cmd_T₀ corresponding to domain d₁ includes an operator typefield set to “add,” a delta field set to “0.3,” a threshold field set to“49,” a block field set to “y,” and an offset field set to “5.” In orderwords, the delta_cmd_(—T) ₀ corresponding to d₁ requests whether “0.3”may be added to the usage level corresponding to domain d₁, which isstored on block “y” at offset “5,” without passing the threshold “49.”T₀ could cause the PVR corresponding to domain d₁ to be [48.9:49.2]. Inother words, the delta corresponding to transaction T₀ would push thehigh value of the possible value range of the PVR to “49.2.” Thus, iftransaction T₀ executes (commits), then the usage value for domain d₁,in combination with any other pending transactions, could be “49.2.” If,however, the transaction T₀ does not execute (aborts), then the usagevalue of domain d₁ could be “48.9.” Because the possible high value ofthe PVR is greater than the value of the high threshold corresponding todomain d₁, the delta corresponding to transaction T₀ cannot be appliedwithout passing a threshold. Because transaction T₀ could cause theusage value of d₁ to pass a threshold, the return value of delta_cmd_T₀for domain d₁ is “No.” Transaction T₀, therefore, requests an exclusivelock. Because transaction T₀ would not have passed a threshold in domaind₀, as discussed above, the delta was applied to the data structurescorresponding to domain d₀. Because transaction T₀ is now suspendeduntil it acquires an exclusive lock, the data structures correspondingto domain d₀ are rolled back to their condition prior to transaction T₀.Thus, the PVR for usage in domain d₀ is “999:999,” and there are nopending deltas.

In 1004, the delta commands corresponding to transaction T₁ areprocessed. As mentioned above, although in the illustrated embodiment,the respective delta commands are processed in the order of d₀ and thend₂, in other embodiments the delta commands may be processed in adifferent order. The delta_cmd_T₁ corresponding to domain d₀ includes anoperator type field set to “sub,” a delta field set to “0.1,” athreshold field set to “0,” a block field set to “x,” and an offsetfield set to “0.” In order words, the delta_cmd_T₁ corresponding to d₀requests whether “0.1” may be subtracted from the usage levelcorresponding to domain d₀, which is stored on block “x” at offset “0,”without passing the threshold “0.” Transaction T₁ could decrease the lowvalue v_(l) of the PVR the usage value for domain d₀ to “9.2.” Thus, thetemporary PVR of the usage value of domain d₀, in combination with anyother transactions, is [99.2:99.3]. Because the low value v_(l) of thePVR corresponding to the usage field of domain d₀ is greater than orequal to the low threshold corresponding to domain d₀, the delta valueof delta_cmd_T₁ can be applied without crossing a threshold.Subsequently, the delta is written to the journal, as described ingreater detail above with reference to FIGS. 3, 4A, and 4B. Thein-memory structures tracking the possible value range and the deltasare modified. Specifically, the low value v_(l) of domain d₀ isdecremented by the delta value “0.1.” Furthermore, the delta value“−0.1” is also recorded in memory, as a pending delta.

The delta_cmd_T₁ corresponding to domain d₂ includes the following datafields: an operator type field set to “sub,” a delta field set to “0.1,”a threshold field set to “4.5,” a block field set to “z,” and an offsetfield set to “428.” In other words, the delta_cmd_T₁ requests whether“0.1” may be subtracted from the usage value corresponding to domain d₂,which is stored on block “z” at offset “428,” without passing thethreshold “4.5.” Transaction T₁ could cause the PVR corresponding todomain d₂ to be [4.45:4.55]. Because transaction T₁ could cause theusage value of d₂ to pass a threshold, the return value of delta_cmd_T₁for domain d₂ is “No.” Transaction T₁, therefore, requests an exclusivelock. Because transaction T₁ would not have passed a threshold in domaind₀, as discussed above, the delta was applied to the data structurescorresponding to domain d₀. Because transaction T₁ is now suspendeduntil it acquires an exclusive lock, the data structures correspondingto domain d₀ are rolled back to their condition prior to transaction T₁.Thus, the PVR for usage in domain d₀ is still “999:999,” and there areno pending deltas.

In 1006, the PVR module reorganizes domains d₀ and d₁ based ontransaction T₀. Because transaction T₀ could cause the usage value ofdomain d₁ to pass the corresponding soft threshold in the upwarddirection, transaction T₀ is processed with an exclusive lock, and therelevant domains d₀ and d₁ are reorganized. During the reorganization,transaction T₀ is allowed to commit because no hard thresholds arepassed. Because transaction T₀ would increment the respective usagevalues of domains d₀ and d₁ by “0.3,” the usage value of domain d₀ isset to “999.3,” and the usage value of domain d₁ is set to “49.2.” Therespective PVR values are adjusted to reflect the respective usages fordomains d₀ and d₁. Because no thresholds were passed in domain d₀, thethresholds remain the same for d₀. Because transaction T₀ causes theusage value of domain d₁ to pass the soft threshold for domain d₁ in theupward direction, the thresholds are adjusted. The low threshold fordomain d₁ is now the soft threshold of “49” and the high threshold fordomain d₁ is now the hard threshold “50.”

Because transaction T₁ could also cause one of the usage values ofdomains d₀ and d₂ to pass a threshold, in 1008, domains d₀ and d₂ arereorganized by transaction T₁. During the reorganization, transaction T₁is allowed to commit because no hard thresholds are passed. With respectto domain d₀, the usage value is decremented to “999.2.” Becausetransaction T₁ does not cause the usage value of domain d₀ to pass athreshold, the thresholds for domain d₀ remain the same. With respect todomain d₂, the usage value is decremented to 4.45. Because the newdecremented usage value passes the advisory threshold in the downwarddirection, the thresholds are readjusted. The adjusted low threshold isnow “0,” and the adjusted high threshold is now the advisory threshold“4.5.”

In 1010, the delta commands corresponding to transaction T₂ areprocessed. With respect to domain d₀, delta_cmd_T₂ includes thefollowing data fields: an operation type field set to “add,” a deltafield set to “0.9,” a threshold field set to “1001,” a block field setto “x,” and an offset field set to “0.” In other words, delta_cmd_T₂requests whether “0.9” may be added to the usage value corresponding tod₀, which is stored on block “x” at offset “0,” without passing thethreshold “1001.” Thus, the temporary PVR is [99.2:1000.1]. Saiddifferently, delta_cmd_T₂ could increment the high value v_(h) of thePVR corresponding to domain d₀ to “1000.1.” Because 1000.1 is less thanor equal to 1001, the delta may be applied without passing a threshold.In other words, because the high value v_(h) of the PVR for domain d₀would be less than the high threshold for d₀, the delta may be applied.Subsequently, the delta is written to the journal, as described ingreater detail above with reference to FIGS. 3, 4A, and 4B. Thein-memory structures tracking the possible value range and the deltasare modified. Subsequently, the high value v_(h) of the PVR for D₀ isadjusted to “1000.1” and the delta value “+0.9” is recorded in systemmemory.

With respect to domain d₁, delta_cmd_T₂ includes the following datafields: an operation type field set to “add,” a delta field set to“0.9,” a threshold field set to “50,” a block field set to “y,” and anoffset field set to “5.” In other words, delta_cmd_T₂ requests whether“0.9” may be added to the usage value corresponding to domain d₁, whichis stored on block “y” at offset “5,” without passing the threshold“50.” Transaction T₂ could cause the PVR for d₁ to be [49.2:50.1]. Inother words, delta_cmd_T₂ could increment the high value v_(h) of thePVR of domain d₁ to “50.1.” Because 50.1 is greater than 50, thedelta_cmd_T₂ could cause d₁ to pass a threshold. Specifically, thetransaction T₂ could cause the usage value of domain d₁ to pass the highthreshold, which is a hard threshold. Because transaction T₂ could causethe usage value of d₁ to pass a threshold, the return value ofdelta_cmd_T₁ for domain d₁ is “No.”

With respect to domain d₂, delta_cmd_T₂ includes the following datafields: an operation type field set to “add,” a delta field set to“0.9,” a threshold field set to “4.5,” a block field set to “z,” and anoffset field set to “428.” In other words, delta_cmd_T₂ requests whether“0.9” may be added to the usage value corresponding to domain d₂, whichis stored on block “z” at offset “428,” without passing the threshold“4.5.” If delta_cmd_T₂ is applied, the PVR for d₂ would be [4.45:5.35].In other words, the delta_cmd_T₂ would increase the high value v_(h) ofthe PVR of domain d₂ to “5.35.” Because 5.35 is greater than 4.5, whichis the high threshold, the delta_cmd_T₂ could cause the usage value ofdomain d₂ to pass a threshold. Because transaction T₂ could cause theusage value of d₂ to pass a threshold, the return value of delta_cmd_T₁for domain d₂ is “No.”

Because transaction T₂ could cause the usage value of either d₁ or d₂ topass a threshold, transaction T₂ requests an exclusive lock. Becausetransaction T₂ would not have passed a threshold in domain d₀, asdiscussed above, the delta was applied to the data structurescorresponding to domain d₀. Because transaction T₂ is now suspendeduntil it acquires an exclusive lock, the data structures correspondingto domain d₀ are rolled back to their condition prior to transaction T₂.Thus, the PVR for usage in domain d₀ is “999.2:999.2,” and there are nopending deltas.

In 1012, domains d₀, d₁, and d₂ are reorganized because transaction T₂could cause one or more thresholds to be passed in the respectivedomains. Specifically, because transaction T₂ could cause the usagevalues of domains d₁ and d₂ to pass respective thresholds, the relevantdomains are reorganized. Because transaction T₂ could cause the usage ofdomain d₁ to pass a hard threshold, transaction T₂ is aborted.Accordingly, the usage values of domains d₀, d₁, and d₂ remain the same.Similarly, the PVRs and thresholds for domains d₀, d₁, and d₂ alsoremain the same. In the illustrated embodiment, during reorganization,the transaction with the exclusive lock is processed serially withrespect to the different affected domains. For example, transaction T₂may be processed first with respect to domain d₀ and then domain d₁.Because transaction T₂ would not cause domain d₀ to pass a threshold,the data structures corresponding to d₀ may be adjusted before it isdiscovered that transaction T₂ would cause domain d₁ to pass a hardthreshold, triggering an abort of transaction T₂. Accordingly, duringreorganization, some data structures may be changed and then rolled backafter discovering that a hard threshold is passed. Although the finalstates of the three respective domains are illustrated in the exampleabove, the temporary modification and subsequent readjustment are notillustrated.

VI. Resource Usage Management

In many computing environments it is desirable to manage usage of one ormore resources by consumers of the resources. Resource usage managementmay include, for example, determining the types of resources to bemanaged, tracking and accounting for the usage of these resources,reporting resource usage to a system administrator, and/or enforcinglimits on the resource usage. The types of resources accounted for mayrepresent resources that are part of the computing environment (forexample, physical space on a storage medium) or external to theenvironment (for example, monetary value of banking or brokerageaccounts). Consumers of the resources may include, for example, usershaving system accounts in the computing environment as well as processesand threads that consume computing resources.

For purposes of illustration, embodiments of systems and methods forresource usage management will be described with reference to adistributed computing environment and in particular with reference toquota tracking systems and methods for a distributed file system. Thesystems and methods disclosed herein are not limited to theseillustrative embodiments and are applicable to a wide range ofimplementations. For example, a bank may wish to track account balancesfor its account holders, or a securities brokerage may wish to track thetrading activity of participants on an securities exchange. In anInternet context, an Internet Service Provide may wish to monitor andenforce limits on bandwidth use.

FIG. 11 schematically illustrates one embodiment of a distributedcomputing system 1100 a that comprises N threads 1102 labeled as S_(i),where index i runs from 0 to N-1. In one embodiment, the computingsystem 1100 a is a distributed file system and the threads 1102 comprisenodes of the file system. In this example, a resource R having usage U(on some or all of the threads S_(i)) is tracked by an accounting system1104 denoted by C in FIG. 11 and is checked against at least onethreshold H. In a file system embodiment, the resource may comprisephysical space in a quota domain on the file system, and the threshold Hmay be a hard, soft, and/or advisory threshold described above. If arequest for the resource will cause the resource usage U to pass thethreshold H, the accounting system 1104 may take a suitable enforcementaction, which may depend on the threshold type. For example, in a filesystem embodiment, if a request to write a new file or modify anexisting file will cause the usage U to pass a hard threshold H, theaccounting system 1104 may prevent writing the new file or modifying theexisting file. If, in this example, the threshold H were an advisorythreshold, the accounting system 1104 may allow the new file to bewritten or the existing file to be modified and may communicate anappropriate notification to the resource requestor and/or a file systemadministrator.

The implementation of the accounting system 1104 illustrated in FIG. 11may suffer a disadvantage, because all of the updates, on any of thethreads S_(i), to the resource usage U are processed by the singlethread S₀. If the number (or rate) of updates becomes too large,capacity of the thread S₀ may be insufficient to handle the updates, andthe thread S₀ may become a bottleneck for the computing system 1100 a.

FIG. 11 illustrates an alternative implementation that addresses thisdisadvantage. In this example implementation, a computing system 1100 balso comprises N threads 1102 labeled as S_(i). An accounting system1108 is allocated among the threads 1102 as N subsystems C_(i). AlthoughFIG. 11 illustrates each thread S_(i) as having a single subsystemC_(i), in other embodiments, a different allocation may be used₁ and aparticular thread S_(i) may be allocated 0, 1, 2, 3, 7, 23, or any othernumber of accounting subsystems 1108. Also, although FIG. 11 illustratesthe same number of subsystems C_(i) as threads S_(i), in otherembodiments, the number of subsystems C_(i) may be less than, or greaterthan, the number of threads S_(i). The total usage U of the resource maybe divided into subusages U_(i) for each of the subsystems C_(i).Similarly, the threshold H may be divided into subthresholds H_(i). Incertain embodiments, it may be desirable to provide an exact accountingfor the resource usage U on the system 1100 b. Accordingly, in theseembodiments, the organization into subsystems C_(i) may be made so thatthe sum of the subusages U_(i) equals the total usage U and the sum ofthe subthresholds H_(i) equals the threshold H.

The implementation of the accounting system 1108 advantageously mayavoid or reduce the likelihood of a bottleneck, because updates toresource usage on the computing system 1100 b are processed by the Nthreads S₀ to S_(N-1) rather than by one thread (as in system 1100 a) ora few threads. An additional advantage is that the accounting system1108 is scalable. For example, if new threads are added to (or existingthreads are removed from) the distributed computing system, the numberof accounting subsystems can be increased or decreased to accommodatethe change. Additionally, distributed computing systems may have a verylarge number of users consuming resources. The number of subsystemsC_(i) in the accounting system 1108 may be suitably scaled to handleresource usage by the users.

FIG. 11 illustrates another aspect of the organization of the accountingsystem 1108 into subsystems C_(i). In the thread S₂, resource subusageU₂ has passed the threshold H₂. The usual system enforcement actiontaken when a threshold is passed may be, for example, to prevent furtherwrites to a file system domain. However, as can be seen in FIG. 11,depicted subsystem usages U_(i) have not passed the correspondingsubthresholds H_(i) in the other illustrated threads: S₀, S_(i), andS_(N-1). Accordingly, although the subusage in the subsystem C₂indicates that an enforcement action should be taken, the total usage U(summed over all threads) may be less than the threshold H, whichindicates that no enforcement action should be taken. To avoid or reducethe likelihood this outcome, certain embodiments reorganize theaccounting system into a new set of subsystems and reallocate the newsubsystems among the threads S_(i) when a subusage U_(i) passes (orapproaches) a subthreshold H_(i). Reorganization may also occur ifsystem properties and/or parameters change such as, for example, if thenumber N of threads and/or the threshold H change.

A. Quota Accounting System For A Distributed File System

Illustrative embodiments of systems and methods for resource usagemanagement in the context of a quota accounting system for file systemdomains will now be discussed. The quota accounting system may beconfigured to track, for example, usage of storage capacity in a domainof a file system such as, for example, the domains d₀, d₁, and/or d₂ ofthe file system 700 described with reference to FIG. 7. The storagecapacity in the domain may be measured via one or more metricsincluding, for example, physical space (for example, megabytes on a diskdrive), logical space (for example, physical space less certain filesystem metadata) and/or number of files in the domain. In certainembodiments, logical space includes physical space less redundant spaceused for increased data protection (for example, mirroring, parity,and/or other metadata).

FIG. 12 illustrates an embodiment of an example of an accounting systemC₀ (shown by reference numeral 1200 a) for the domain d₀ that has beenorganized into three accounting subsystems C₀₀, C₀₁, and C₀₂ (shown byreference numeral 1200 b), each of which tracks usage in a portion ofthe domain. In the context of a distributed file system, the accountingsubsystems will be called “constituents.” The constituents may beallocated among nodes of the distributed file system. A node may beallocated 0, 1, 2, 3, 5, 17, or any other number of constituents.

The domain d₀ tracked by the accounting system C₀ may be associated withone or more thresholds or “limits,” any of which may be advisory, soft,or hard as described above with reference to FIG. 8. In this example,three limits are associated with the quota on the domain d₀. Thephysical limit of 2 gigabytes represents total physical space used tostore the files and directories of the domain d₀. The file limit of 302files represents the number of files in the domain d₀, and the logicallimit of 1.5 gigabytes represents the physical space of the domain d₀less certain file system overhead. Total current usage on the domain d₀is 1 gigabyte.

As mentioned, the accounting system C₀ may be organized into theconstituents C_(0i), where the index i runs from 0 to N-1, where N isthe number of constituents (3 in FIG. 12). Various methods for selectingthe number N of constituents will be described more fully below. In someembodiments, the usage and limits of the domain are dividedsubstantially equally among the constituents. If a quantity does notdivide evenly, the quantity is divided as evenly as possible subject tothe restriction that no lower-indexed constituent has a lower value thana higher-indexed constituent. For example, FIG. 12 illustrates thedivision of the usage and the physical, file, and logical limits amongthe three constituents C_(0i).

FIG. 12 also illustrates examples of how the system handles pendingtransactions that change resource usage. In the accounting system 1200a, four pending transactions 1210 are pending. In some implementations,the transactions may comprise delta transactions, which provideincremental changes to the value of a data field and which permit thesystem to process multiple concurrent transactions (for example, see thediscussion with reference to FIG. 1). FIG. 12 illustrates (in the columnlabeled Delta Operations Example) four example delta transactions 1210,which change the physical size of the quota domain by amounts (inmegabytes): +20 MB, −100 MB, +300 MB, and +50 MB. As described above, insome embodiments, these four example concurrent delta transactions maybe processed without regard to the order in which they were sent.

If the accounting system is organized into the constituents C_(0i) (suchas the system 1200 b), the transactions 1210 are distributed to theconstituents C_(0i). FIG. 12 illustrates two examples 1210 a and 1210 bof how the transactions 1210 may be distributed 1210 a and 1210 b to thethree constituents C₀₀, C₀₁, C₀₂ (see columns labeled Delta OperationsExample 1 and Delta Operations Example 2). In some embodiments, thetransactions 1210 are distributed randomly to the constituents, whichadvantageously causes the quota accounting processing load to be sharedrelatively evenly among the constituents.

It may be desirable for the quota domain accounting system to enforce“limit exactness,” in which the usage level relative to the limits isknown and in which the usage level takes account of, and does notexclude, pending modifications to the domain. By enforcing limitexactness, an accounting system advantageously can determine whether thecurrent usage level violates any limit and take suitable action if thelimit is violated. Enforcing limit exactness, however, may lead todisadvantages in some incremental computing systems that utilize deltatransactions. For example, before the accounting system can determinethe current usage, the system may stop ongoing transactions and wait forpending transactions either to commit or abort. This approach, however,may lead to serialization of the transactions.

To avoid or reduce the likelihood of serialization, certain embodimentsof the accounting system use possible value ranges (PVRs) to track theupper and lower bounds of the possible range for the usage. The use ofPVRs advantageously permits the system to process multiple concurrentdelta transactions while enforcing limit exactness. In some embodiments,methods similar to the method 450 illustrated in FIG. 4B may be used todetermine whether applying a delta to a constituent usage will cause anassociated PVR boundary to pass a constituent usage limit. In oneembodiment, pending delta transactions in which a boundary of the PVRdoes not pass the limit are permitted to complete, because suchtransactions will not cause a limit violation. However, if the pendingdelta transaction will cause a boundary of the PVR to cross a limit, thedelta transaction is rejected. In this case, as will be furtherdescribed below, the accounting system may take suitable action toreorganize the constituents.

FIG. 13 illustrates an embodiment of an abstract data structure 1300that can be used to implement a quota domain account 1304 for trackingresource usage U for the quota domain. The resource may include, forexample, physical space, logical space, and/or number of files in thequota domain. The quota domain account may have one or more limits (orthresholds) l_(j), where index j runs from 1 to L, the number of limits.For example, in some embodiments, three limits (for example, anadvisory, a soft, and a hard limit) are provided for each resource whoseusage U is tracked.

The quota domain account 1304 is organized into a number N of quotaaccount constituents 1308. In various embodiments, the number N may befixed at system initiation or may be dynamically selected depending onsystem usages and limits. The constituents are labeled QAC_(i), whereindex i runs from 0 to N-1. Each constituent QAC_(i) tracks usage U_(i)in a portion of the quota domain. As mentioned above, the resource usageU may be divided among the constituents so that

${\sum\limits_{i = 0}^{N - 1}U_{i}} = {U.}$

Additionally, each constituent QAC_(i) may have constituent limitsl_(ij) that may be determined according to

${\sum\limits_{i = 0}^{N - 1}l_{ij}} = {l_{j}.}$

In certain embodiments, division of the resource usage U and the limitsl_(j) is made as equal as possible among the constituents to balance theprocessing load on the constituents.

The file system may provide increased protection for the integrity offile system data such as, for example, by providing error detection,and/or error correction including, for example, parity protection and/ormirrored protection. In some embodiments providing mirrored protection,identical copies of the files are mirrored on different nodes. Forexample, if a particular file system node fails, if a media error occurson part of a storage device (for example, a disk drive), or if otherfile system problems occur, a mirrored file system advantageouslyenables the user to have continued access to information in the file byaccessing a mirrored copy of the file. In many embodiments, theprotection process is transparent to the user, who need not (andtypically does not) know which nodes actually provide the data. Thelevel of protection provided by mirroring may be denoted by a protectionvalue P, which in some embodiments is an integer that reflects thenumber of independent mirrored versions of the file stored by the filesystem. For example, if a file system has “3×” protection, the value ofP equals 3, meaning 3 identical versions of each file are maintained.

The quota domain account 1304 may provide mirroring in order to increasethe integrity of the quota accounting. In some embodiments, each quotaaccounting constituent 1308 is mirrored P times. FIG. 13 illustratesmirroring of each constituent QAC_(i) in P mirrored quota accountingblocks 1310. The quota accounting blocks are denoted as QAB_(ik), wherethe index i runs over the number of constituents (for example, from 0 toN-1) and index k runs over the number of mirrors (for example, from 0 toP-1). Each quota accounting block QAB_(ik) may be configured to trackthe usage U_(i) and the limits l_(ij) in the corresponding constituentQAC_(i). In certain embodiments, the constituent limits are tracked andmanaged by the QAB data structures. In other embodiments, theconstituent limits are tracked and managed by the constituents 1308 orby the quota domain account 1304.

As mentioned above, in some embodiments, the quota accounting blocksQAB_(ik) are configured to manage usage of more than a single resourcein a constituent QAC_(j). For example, usage of resources such asphysical space, logical space, and/or the number of files may be trackedin some or all of the constituents. In such embodiments, there may be aseparate set of limits l for each resource usage that is tracked (forexample, advisory, soft, and/or hard limits for physical space,advisory, soft, and/or hard limits for logical space, and so forth).

FIG. 14 illustrates an embodiment of an example allocation of quotaaccount constituents QAC_(i) and mirrored quota accounting blocksQAB_(ik) in a quota domain system 1404. In this example, the quotadomain system 1404 is implemented on a distributed file system having 8nodes 1420 and a protection level P=3. In certain embodiments, thenumber of constituents N is selected according to

$\begin{matrix}{{N = \left\lfloor {\frac{NODES}{P}R} \right\rfloor},} & (1)\end{matrix}$

where NODES is the number of nodes, P is the protection level, and R isa tunable parameter that represents the maximum number of constituentsper node in the file system. For example, the value R=1 provides 1constituent per node, R=2 provides 2 constituents per node, and R=⅓provides that roughly ⅓ of the nodes have a constituent. In Equation(1), the symbol └ ┘ represents the mathematical floor operator, whichreturns the largest integer less than or equal to its argument. In otherembodiments, other mathematical functions (for example, ceiling, integerpart, and so forth) may be used to determine the number of constituents.In the example illustrated in FIG. 14, Equation (1) demonstrates thatthere are 2 constituents 1408 a and 1408 b. Because file system provides3× protection, each constituent 1408 a, 1408 b comprises three nodes,which may be selected randomly (with removal) from the available nodes.As depicted in FIG. 14, the constituent 1408 a comprises the three nodes2, 5, and 7, and the constituent 1408 b comprises the three nodes 6, 1,and 4. The nodes 0 and 3 are not used by the quota domain accountingsystem 1404.

In some embodiments, if nodes are added to (or removed from) the filesystem, the quota domain accounting system 1404 may reorganize andutilize a new (and possibly different) number of constituents determinedfrom Equation (1). For example, if 4 nodes were added to the file systemillustrated in FIG. 14 (making a total of 12 nodes), Equation (1)indicates there should be 4 quota constituents. Each constituent wouldbe mirrored 3 times; therefore, each node in the file system would beutilized by quota accounting.

B. Reorganization

Certain embodiments of the quota accounting system provide forreorganization of the constituents based on the occurrence of variousevents. Quota accounting systems may provide for several events thattrigger reorganization. For example, if a request to modify resourceusage in the quota domain causes constituent usage to pass a constituentlimit (for example, from under-to-over quota or from over-to-underquota) or if the request causes a data value's PVR boundary associatedwith constituent usage to pass a constituent limit, then the accountingsystem may reorganize. Such reorganization may be appropriate, becausealthough resource usage in a particular constituent may be near a quotalimit, there may be adequate resources on the other constituents in thedomain to support the request. By reorganizing the constituents, andtheir associated usages and limits, the accounting system advantageouslywill be able to more evenly balance the usage load among theconstituents.

FIG. 15 is a flow chart that illustrates an embodiment of a constituentreorganization method 1500. The method 1500 may be implemented by aquota constituent module of the system module 210 of the computingsystem 200 illustrated in FIG. 2. In state 1504, the quota constituentmodule determines usages and limits among the current constituents. Thisinformation may be calculated and/or received from an administrator ofthe system. In state 1508, the module determines system informationincluding, for example, the number of available nodes in the filesystem, the protection level, and other adjustable parameters (forexample, the constituents per node parameter R). This information may becalculated and/or received from an administrator of the system. In state1512, the quota constituent module organizes the quota domain accountsystem into constituents. FIG. 14 discussed above provides one exampleof the organization of a quota domain accounting system organized into 2constituents (each mirrored 3 times) on a file system having 8 nodes.

State 1516 represents the typical operating state of the accountingsystem, in which the quota constituent module tracks resource usage ineach of the constituents. System embodiments utilizing incremental deltatransactions and PVR usage ranges advantageously can process multipleconcurrent transactions while enforcing limit exactness.

The quota constituent module monitors the status of the quota accountingsystem to determine whether an event has occurred that may trigger areorganization of the constituents. FIG. 15 depicts three possibleevents, shown in states 1520, 1524, and 1528, that may trigger the quotaconstituent module to reorganize. In other embodiments, there may befewer or greater reorganization events, and the events may be differentfrom the illustrated examples.

State 1520 has been described above and represents the event where arequest for resource modification is rejected because a limit would bepassed (for example, by resource usage and/or by a PVR boundary). Forexample, in some embodiments, an incremental delta request that wouldcause constituent usage (or a PVR value associated with constituentusage) to pass a limit is rejected₁ and an error message is communicatedto the quota constituent module. In response to the error message, thequota constituent module returns to state 1504 to reorganize the quotaaccounting system.

State 1524 represents events in which system parameters (for example,limits, PVRs, the R parameter, and so forth) have been changed. Forexample, if a PVR boundary associated with resource usage is modified₁and the new PVR boundary is sufficiently “close” to (or passes) thenearest limit, the quota constituent module may return to state 1504 andreorganize the constituents. Reorganization caused by events in state1540 advantageously handles cases where resource usage is increasing ina quota domain and the number of constituents should increase to providebetter concurrency for resource requests. For example, in oneembodiment, the number N of constituents grows in proportion toallocated resources, which beneficially provides that the file systemresources allocated to the quota accounting blocks make up only arelatively small fraction of the total resources.

State 1528 represents any event in which the layout of the constituentson the nodes of the file system is suboptimal. The quota constituentmodule may track one or more heuristics that measure a quality factorfor the constituent organization, and if the quality factor issuboptimal the module causes a return to state 1504 for reorganization.In certain embodiments, determination of whether the constituent layoutis suboptimal is handled in state 1520.

FIG. 16 illustrates in more detail an embodiment of state 1512 of FIG.15, in which the quota constituent module organizes the quota domaininto constituents. In state 1604, the module determines the currentlimit state, which includes information identifying which, if any,limits have been violated on any of the constituents. In someembodiments, the limit state is represented as a bit state identifyingthe violated limits. For example, if no limits have been violated, thelimit state is empty (or null). If one or more limits have beenviolated, the limit state comprises a set including the violated limitsas members.

In some embodiments, the module also determines one or more reorganizebounds that represent usage levels at which reorganization should occur.For example, the reorganize bounds may comprise a pair of values,[B_(low), B_(high)], which designate a lower (B_(low)) and an upper(B_(high)) usage value (for example, measured in megabytes or number offiles). In this example, if current resource usage passes B_(low) fromabove or B_(high) from below, the quota constituent module causes areorganization to occur. In some embodiments, the reorganize bounds maybe different from a limit range, which may be defined as a half-openinterval (l_(low), l_(high)] having a lower limit l_(low) and an upperlimit l_(high). A limit range may be defined, for example, by dividingthe range from 0 to a suitable maximum value for each resource type (forexample, physical, logical, files) by all the limits applicable to thatresource type (including advisory, soft, and hard limits). In variousembodiments, the maximum value, denoted by max_value, may be infinite ora suitably large value (for example, 2⁶⁴−1 bytes for a physical orlogical space limit). Returning to the example shown in FIG. 8, thedomain d₀ has four limit ranges of [0, 1001 MB], (1001 MB, 1500 MB],(1500 MB, 2000 MB], and (2000 MB, max_value]. In this example, the firstlimit range [0, 1001 MB] is a closed at the lower usage boundary so thata domain having no usage (0 MB) does not violate usage quotas. In someembodiments, the reorganize bounds are selected to fall within aparticular limit range, for example, l_(low)≦B_(low)≦B_(high)≦l_(high).Each limit range may have different reorganize bounds. An advantage ofusing reorganize bounds is that the quota constituent module can, ifneeded, force a reorganization to occur at suitable resource usagevalues within a limit range.

In state 1608, the quota constituent module determines the total usage Uby combining the constituent usages U_(i), after completion of pendingincremental delta transactions. In state 1612, the module determineswhether there are any disk errors such as, for example, errors caused bydefective disk blocks in the storage 208 that cannot be written to orread from. Advantageously, these defective blocks can be identified andtracked so that no further reads or writes are performed therein. Ifdisk errors are found, the module returns to state 1604 and 1608 andrecomputes the limit state, reorganize bounds, and usage. State 1612 isoptional in some embodiments, and in other embodiments, it may beperformed less frequently than at every constituent reorganization.

In state 1616, the quota constituent module determines the number N ofconstituents, for example, by use of an algorithm such as Equation (1).Other algorithms for determining the number N of constituents will bedescribed below. In state 1620, the module determines the new limitstate and reorganize bounds for the number of constituents determined instate 1616. In state 1624, the module takes suitable action if there areany new limit violations (for example, if the limit state is not empty).In certain embodiments, the actions may include notifying the systemadministrator and/or user of the violation (for example, by e-mail),compressing old or less-frequently used files, moving files to adifferent storage device, and so forth.

In state 1628, the quota constituent module allocates the constituentsto nodes of the file system. FIG. 17 is a flow chart that illustrates inmore detail an embodiment of state 1628. In state 1704, the quotaconstituent module determines the availability of nodes on the filesystem to serve as constituents. The set of available resources on thenodes (for example, disks with space for allocating the quota accountingconstituents) will be denoted by D, and the number of available nodeswill be denoted by |D|. In state 1708, the quota constituent moduleinitializes a counter Q to the number of constituents determined instate 1616 shown in FIG. 16. States 1712-1740 represent an iterativeblock that the quota constituent module performs while the counter Q isnonzero. In state 1716, the module determines a set of nodes S that willbe used for a constituent. To account for mirroring, the set S comprisesP nodes, which may be randomly chosen from the available nodes D. Inother embodiments, other selection criteria may be used, such as, forexample, round robin, least recently used₁ and so forth. The P nodesselected in state 1716 are removed from the set of available nodes D,and the number of available nodes |D| is decremented by P.

In state 1724, the quota constituent module allocates the quotaaccounting domain onto the set of nodes S. For example, the module mayset up a quota domain accounting data structure such as described withreference to FIG. 13. In state 1728, the module checks whether thenumber of available nodes. |D| is less than the protection level P. If|D| is not smaller than P, there are enough remaining nodes to allocatethe next constituent (accounting for the protection level), and themodule decrements the counter Q by one in state 1736 and returns tostate 1712 if the counter is nonzero. However, in state 1728, if thenumber of available nodes |D| is smaller than the protection level P,then there are too few nodes remaining to provide a separate mirror oneach node. In this case, the quota constituent module continues in state1732, where the set D is equated to the currently available noderesources. The quota constituent module then continues in state 1736 asdescribed above and continues to allocate quota accounting domains ontothe available nodes, each of which may be allocated more than oneaccounting domain.

C. Number of Constituents

When the quota accounting system is reorganized, the number N ofconstituents may be selected based at least in part on factorsincluding, for example, the number of nodes, the protection level, andconstituent usages relative to the limit ranges. In various embodiments,the quota accounting system may utilize one or more parameters toprovide suitable control over how the number of constituents isdetermined. An example of one such parameter is the constituents pernode parameter R (described above with reference to Eq. (1)), which canbe set to provide an allocation of approximately R constituents pernode.

In certain embodiments, the number N of constituents is fixed until areorganization occurs. During the reorganization, the quota constituentmodule (in state 1616 shown in FIG. 16) determines an updated number ofconstituents based on current system properties. The updated number maybe the same as, less than, or greater than the previous number ofconstituents.

FIG. 18 is a graph schematically illustrating one example embodiment ofhow the number of constituents may depend on proximity of resource usageto a limit, such as an advisory, soft, or hard limit. In this example,the number of constituents can range between a minimum of one andmaximum of N_(max). In some embodiments, the maximum number N_(max) isdetermined from Equation (1). As seen in FIG. 18, the number ofconstituents decreases (to the minimum of one) as the resource usagenears any of the limits, which advantageously reduces the likelihood ofprocessing bottlenecks as the limit is passed. In some embodiments, asthe usage nears a limit, the number of constituents linearly ramps downto one. For example, in an embodiment, the number of constituents isdetermined according to N=max(min(N_(max), Span), 1), where Spanmeasures the “distance” of the resource usage from the nearest limit,and max and min are mathematical maximum and minimum functions,respectively. In one embodiment, if the usage is U and the nearest limitis l, then the Span may be defined as Span=floor(abs(U−l)/span_size),where floor has been defined above and abs is absolute value. Theadjustable parameter span_size may depend on factors including theresource type (for example, physical, logical, or files) and the limittype (for example, advisory, soft, or hard). The slope of the linearramps near the limits in FIG. 18 is inversely proportional to themagnitude of the parameter span_size. If span_size is selected to besufficiently large, the number of constituents will remain near one,because, in general terms, the usage will be within one “Span” of thelimit at substantially all times. Conversely, if span_size is selectedto be sufficiently small, the number of constituents will remain nearN_(max) except for a relatively narrow region near the limit. In otherembodiments, the number of constituents as a function of “Span” may beselected differently such as, for example, by selecting nonlinearfunctions to ramp down the number of constituents as usage nears alimit.

It will be recognized that during a reorganization, the number N ofconstituents may be selected based on a wide variety of mathematicalfunctions, heuristics, goals, parameters, and so forth. Three examplereorganize modes will now be described: “singleton,” “linear,” and“1-or-N.”

1. Singleton Mode

In this mode, the number N of constituents is always equal to one. Whenreorganization occurs, the new quota accounting domain may be randomlyassigned to a node (which may differ or be the same as the previousaccounting node).

In embodiments using reorganize bounds, the bounds may be set to matchthe limit range currently bounding the usage: B_(low)=l_(low) andB_(high)=l_(high). FIG. 19A is one embodiment of a graph thatillustrates that the number of constituents in the singleton mode isalways one, regardless of the “distance” of the resource usage from anyof the limits (for example, Span).

2. Linear Mode

In linear mode, the “distance” of the resource usage U from the nearestbound of the limit state (l_(low), l_(high)] is measured by the Spanvariable according to:

$\begin{matrix}{{Span} = \left\lfloor \frac{\min \left( {{{abs}\; \left( {l_{high} - U} \right)},{{abs}\left( {U - l_{low}} \right)}} \right)}{span\_ size} \right\rfloor} & (2)\end{matrix}$

For example, if the span_size is 10 MB, the current usage U=75 MB, andthe limit state is (20 MB, 100 MB], then Equation (2) indicates the Spanis 2. In linear mode, the number N of constituents is equal to thecurrent Span, bounded by the range [1, N_(max)], for example,N=max(min(Span, N_(max)), 1). FIG. 19B is one embodiment of a graph thatillustrates the number of constituents that will be selected during alinear mode reorganization as a function of the Span at the time of thereorganization. Note that since the number of constituents is held fixedat other times, the graph in FIG. 19B (and FIG. 19C) is not a dynamicrepresentation of the actual number of constituents in the quota domainaccounting system at any particular Span value. FIG. 20B, to bediscussed below, illustrates such a dynamic representation of the numberof constituents as a function of usage.

If the accounting system uses reorganize bounds, the bounds aredetermined in the following manner in some embodiments. The bounds maybe set differently based on which of the limits is “nearest” to thecurrent usage U and whether changes in usage are moving current usage Utoward or away from the nearest limit. In some implementations, thereorganize bound in the direction of the near limit is set equal to thelimit itself. A rationale for this selection is that choosing a boundwith a smaller value would cause unnecessary reorganizations to occur asthe limit is approached.

The reorganize bound in the direction of the far limit may be setdifferently depending upon whether the new number of constituents isequal to N_(max). In some embodiments, if the new number of constituentsis N_(max), then the reorganize bound is set equal to the value of thefar limit, because more frequent reorganization will not provideadditional constituents since the number of constituents is already atthe maximum value N_(max). On the other hand, if the current number N ofconstituents is less than the maximum N_(max), the reorganize bound Bmay be set equal to B=U+(N*span_size)/F, where F is a tunable ratio inthe range (0, 1]. The parameter F represents a minimum averageconstituent utilization in the direction of the far limit in order toapproximately double the number of constituents when reorganizationoccurs. For example, if F is set equal to ½, an average constituentutilization in the direction of the far limit of about 50% will resultin approximately doubling the number of constituents at the nextreorganization. If F is set equal to ¼, an average constituentutilization of only about 25% will result in approximately doubling thenumber of constituents at the next reorganization. A possible advantageof this choice for the value of the reorganize bound in the direction ofthe far limit is that by approximately doubling the number ofconstituents at a reorganization, the system performance may alsoapproximately double, at least in cases where the number of constituentsis a performance bottleneck. Additionally, if a resource user is rapidlywriting a large amount of data, the user may reach the nextreorganization point in about the same time it took to reach theprevious reorganization point, even though twice as much data is beingwritten.

3. 1-Or-N Mode

In 1-or-N mode, the number of constituents is 1 if the current Span isless than N_(max) and is N_(max) otherwise. In terms of the well-knownternary ?: operator, the number of constituents can be writtenN=(Span<N_(max))? 1: N_(max). In some embodiments, the Span isdetermined from Equation (2). FIG. 19C is one embodiment of a graph thatillustrates the number of constituents that will be selected during a1-or-N mode reorganization as a function of the Span at the time of thereorganization.

If the accounting system uses reorganize bounds, the bounds aredetermined in the following manner in some embodiments. The boundnearest the current usage U is selected using the algorithm for thelinear mode. The bound farthest from the current usage is also selectedusing the linear mode algorithm, if the number of constituents is equalto the maximum N_(max). If, instead, the current number of constituentsis 1, the far bound is determined as B=U+N*span_size, which providesthat reorganization will not occur until the distance from the nearlimit is sufficiently large to ensure that the next reorganizationresults in N_(max) constituents.

D. Example of Linear Mode Reorganization

FIGS. 20A and 20B illustrate one embodiment of an example of linear modereorganization on a distributed file system having a maximum number ofconstituents N_(max)=20 (for example, a 40 node cluster having 2×protection or a 60 node cluster having 3× protection). FIG. 20A is achart that illustrates properties related to the constituents of thequota accounting system at six snapshots in time. The initial time ist₀, and the six snapshots occur at times t₁, t₂, t₃, t₄, t₅, and t₆.During the timeframe shown in FIG. 20A, the quota constituent modulecoordinates three reorganizations at times t₂, t₄, and t₆ following aninitial reorganization at t₀. This example is intended to illustratesome of the features and aspects of linear mode reorganization but isnot intended to be limiting.

FIG. 20B is a graph that shows the number of constituents as a functionof usage for the example system illustrated in FIG. 20A. The number ofconstituents starts at 1 and increases to 4, 10, and 20 following the 3reorganizations. The usage at each reorganization is marked on the graph(for example, 72, 137, and 304). The graph demonstrates that the actualnumber of constituents in the file system at any time (for example, atany particular usage value on the graph) is not a direct mapping fromthe graph of the number of constituents versus Span illustrated in FIG.19B. The actual number of constituents at any usage value can depend onthe history of resource usage and previous numbers of constituents atearlier reorganizations.

Returning to the chart in FIG. 20A, the horizontal axis measuresresource usage (in megabytes). The example quota accounting systemincludes an advisory limit at 30 and a soft limit at 5000; accordingly,the limit state for this system is (30, 5000]. The parameter span_sizeequals 10. The current Span may be calculated using the span_sizeparameter, the total usage for a given snapshot in time, and the currentlimits in the limit state (30 and 5000). Reorganize bounds B_(low) andB_(high) are determined according to the algorithm discussed above forthe linear mode. At the top of FIG. 20A is the snapshot at the initialtime to, and subsequent snapshots are displaced downward from theinitial snapshot. Marked vertically along the chart at each of the timest_(i) are the current usage, the Span (for example, determined from Eq.(2)), and the number of constituents (“Cons”). For example, at initialtime to, the system has reorganized with a total usage of 35, 1constituent, and the Span is 0.

For each snapshot, the horizontal bar marked “Total” depicts the usageand the reorganize bounds for the total quota domain. Below the “Total”bar are one or more bars showing usage and reorganize bounds for each ofthe constituents in existence at that snapshot. The constituent bars arelabeled as “Con” followed by a numeral indexing the constituents. Forreadability at times t₄-t₆ where there are relatively many constituents,constituent bars having identical properties have been grouped together(for example, “Con1-Con7” at time t₄) and further labeled with aparenthetical indicator for the number of constituents in the grouping(for example, “x7”). Above each horizontal bar (whether for “Total” or“Con”), the reorganize bounds and the current usage are shown. Beloweach horizontal bar, the “distances” of the current usage from the lowand high reorganize bounds are shown. As can be seen in FIG. 20A, attime t₀, the initial usage of 35 is between the lower reorganize bound(30) and the upper reorganize bound (50). In this case, the lowerreorganize bound equals the value of the nearest limit (the advisorylimit at 30), and the upper reorganize bound can be determined using thelinear mode algorithm as B_(high)=U+N* span_size/F=35+1*10/(½)=55, wherea minimum average constituent utilization of F=½ has been selected forthis example. The distance between the usage and the reorganize boundsis 5 (to the lower bound) and 20 (to the upper bound). Similarcalculations can be performed at each of the other snapshots using theinformation in the chart in FIG. 20A.

The state of the accounting system changes from snapshot-to-snapshot asincremental delta transactions are received and processed by theconstituents. The left side of the chart shows the delta transaction(s)and the node(s) assigned to handle the transaction(s) at each snapshot.For example, moving from the initial state at t₀ to the first snapshotat t₁, constituent “Con1” processes an incremental delta transactionincreasing usage by 15 megabytes (“+15”). This transaction causes usageto increase from 35 to 50, and span to increase from 0 to 2. The nextdelta transaction “+22” at time t₂ is processed by constituent “Con1”and causes the usage to increase to 72, which is above the upperreorganize bound at 55. Accordingly, the quota constituent module causesthe quota accounting domain to reorganize.

Using the linear algorithm, the number of constituents afterreorganization at time t₂ is equal to 4, because the Span (equal to 4)is less than the maximum number of constituents (equal to 20). The newupper reorganize bound for the total domain is 152 (for example,72+4*10/(½)). FIG. 20A illustrates individual usages and reorganizebounds for the four constituents “Con1”-“Con4.” As discussed above, theconstituent usages and bounds are divided as equally as possible amongthe constituents. The graph in FIG. 20B illustrates the increase in thenumber of constituents from 1 to 4 at the usage level of 72.

At time t₃, each of the four constituents processes a delta transactionthat increases the total usage to 132. Usage in each constituent remainsbelow the corresponding reorganize bound. At time t₄, the firstconstituent “Con1” receives a delta request of “+5,” which is sufficientto cause the usage to exceed the upper reorganize bound in the firstconstituent. Accordingly, the quota constituent module again reorganizesthe quota accounting domain—this time into 10 constituents (see also thegraph in FIG. 20B). At time t₅, the ten constituents receive deltarequests that can be processed without causing any constituent usage topass a corresponding constituent bound. The total usage increases to300.

The final illustrated delta transaction at time t₆ is sufficient toincrease usage in constituent “Con10” above the reorganize bound, so thequota constituent module causes a third reorganization at this time. Thetotal usage (304) is sufficiently far from the lower reorganize bound,that the Span (27) exceeds the maximum number of constituents (20).Accordingly, the number of constituents increases to the maximum numberN_(max) rather than the Span. FIG. 20B illustrates the increase inconstituents from 10 to 20 at the third reorganization at a usage valueof 304. Because the number of constituents has reached its maximumvalue, the upper reorganize bound is set equal to the far limit, whichin this case is the soft limit at 5000.

Further delta transactions at times beyond t₆ that increase the usagewill not increase the number of constituents, which has reached itsmaximum value. If usage continues to increase and the soft limit at 5000is approached, further reorganizations will reduce the number ofconstituents. Near the soft limit, the number of constituents may reachthe minimum value of 1.

VI. Other Embodiments

While certain embodiments of the invention have been described, theseembodiments have been presented by way of example only, and are notintended to limit the scope of the present invention. Accordingly, thebreadth and scope of the present invention should be defined inaccordance with the following claims and their equivalents.

1. A method of implementing domain quotas within a data storage system,comprising: receiving at least one quota related to a size of a datadomain, wherein the data domain associates a subset of data storagewithin a data storage system, wherein the size measures the subset, andwherein the at least one quota defines a threshold size for the datadomain; receiving a data transaction that could change the size of thedata domain; and determining whether the data transaction could causethe size of the data domain to pass the at least one quota incombination with a subset of other pending data transactions that couldalso change the size of the data domain.
 2. The method of claim 1, if itis determined that the data storage transaction could cause the size ofthe data domain to pass the at least one quota, further comprisingpermitting the data transaction and sending a notification that the atleast one quota has been passed.
 3. The method of claim 1, if it isdetermined that the data storage transaction could cause the size of thedata domain to pass the at least one quota, further comprisingpermitting the data transaction and monitoring a condition associatedwith the size of the data domain being past the at least one quota. 4.The method of claim 3, wherein the condition is an amount of time thatthe size of the data domain is past the at least one quota.
 5. Themethod of claim 1, if it is determined that the data storage transactioncould cause the size of the data domain to pass the at least one quota,further comprising denying the data transaction.
 6. The method of claim1, wherein the determining comprises computing a maximum possible sizeor a minimum possible size of the data domain, wherein the maximumpossible size and the minimum possible size are based on cumulativechanges to the data domain that could be caused, respectively, by thedata transaction and the other pending data transactions, and furthercomprises comparing the maximum possible size or the minimum possiblesize to the at least one quota.
 7. The method of claim 1, wherein thedata storage system is associated with at least one of the following: adistributed storage system, a file system, and a distributed filesystem.
 8. The method of claim 1, wherein the data transaction and theother pending data transactions are uncommitted, concurrenttransactions.
 9. The method of claim 1, wherein the at least one quotais specific to at least one of the following: whether the datatransaction either increments or decrements the size of the data domain,the data domain, a subset of a combination of the data transaction andthe other pending data transactions.
 10. The method of claim 1, furthercomprising, if permitting the data storage transaction causes the dataquota to pass the threshold, performing at least one of the following:sending an advisory notice that the threshold has been passed andkeeping a reference associated with a time at which the threshold ispassed.
 11. A computer-readable medium having instructions storedthereon for implementing, when the instructions are executed, domainquotas within a data storage system, the instructions comprising:receiving at least one quota related to a size of a data domain, whereinthe data domain associates a subset of data storage within a datastorage system, wherein the size measures the subset, and wherein the atleast one quota defines a threshold size for the data domain; receivinga data transaction that could change the size of the data domain; anddetermining whether the data transaction could cause the size of thedata domain to pass the at least one quota in combination with a subsetof other pending data transactions that could also change the size ofthe data domain.
 12. A system for implementing domain quotas within adata storage system, comprising: a quota module configured to receive atleast one quota related to a size of a data domain, wherein the datadomain associates a subset of data storage within a data storage system,wherein the size measures the subset, and wherein the at least one quotadefines a threshold size for the data domain; to receive a datatransaction that could change the size of the data domain; and todetermine whether the data transaction could cause the size of the datadomain to pass the at least one quota in combination with a subset ofother pending data transactions that could also change the size of thedata domain.
 13. The system of claim 12, if the data transaction couldcause the size of the data domain to pass the at least one quota, themodule further configured to disallow the data transaction until theother pending data transactions have resolved₁ and then to permit thedata transaction and to send an advisory notice that the size of thedata domain has passed the at least one quota.
 14. The system of claim12, if the data transaction could cause the size of the data domain topass the at least one quota, the module further configured to disallowthe data transaction until the other pending data transactions haveresolved₁ and then to permit the data transaction and to monitor acondition associated with the size of the data domain being past the atleast one quota.
 15. The system of claim 14, wherein the condition is anamount of time.
 16. The system of claim 12, if the data transactioncould cause the size of the data domain to pass the at least one quota,the module further configured to disallow the data transaction until theother pending data transactions have resolved₁ and then, whilepostponing subsequent data transactions, to permit the data transactionand to compute, respectively, a maximum possible size or a minimumpossible size of the data domain based on the permitted datatransaction, wherein the maximum possible size or the minimum possiblesize may be used to determine whether subsequent data transactions couldcause the size of the data domain to pass the at least one quota or adifferent quota.
 17. The system of claim 12, if the data transactioncould cause the size of the data domain to pass the at least one quota,the module further configured to permit the data transaction and todetermine whether subsequent data transactions could cause the size ofthe data domain to pass a different quota from the at least one quota.18. The system of claim 12, wherein the system is at least one of thefollowing: a distributed storage system, a file system, and adistributed file system.
 19. The system of claim 12, further comprisinga persistent storage and a journal module, the journal module configuredto store in the persistent memory the data transaction after determiningwhether the data transaction could cause the size of the data domain topass the at least one quota.
 20. The system of claim 12, wherein thedata transaction could change the size of the data domain by anincremental value, and further comprising a persistent storage and ajournal module, the journal module configured to store in the persistentmemory the data transaction until the data transaction either commits oraborts, wherein the quota module is further configured to compute amaximum possible size or a minimum possible size of the data domainbased on the incremental value of the data transaction that committed oraborted.
 21. A computer-readable medium having data structures storedthereon for implementing domain quotas within a data storage system, thedata structures comprising: a domain size field, the domain size fieldcomprising a value that reflects a size of a data domain comprisingcommitted transactions; a bounded size field, the bounded size fieldcomprising a value that reflects a maximum possible size or a minimumpossible size of the data domain based on a plurality of pending datatransactions that have not committed or aborted; an incremental valuefield, the incremental value field comprising a value that reflects achange in the size of the data domain caused by a data transaction; anoperation type field, the operation type field comprising a value thatindicates whether the change in the size of the data domain caused bythe data transaction is either an increment or a decrement; and a quotafield, the quota field comprising a value that indicates a sizethreshold for either a minimum or maximum size for the size of the datadomain to be within a quota defined for the data domain.